Limits of Random Oracles in Secure Computation 

Mohammad Mahmoody* Hemanta K. Maji^ Manoj Prabhakaran* 

March 4, 2013 



Abstract 

The seminal result of Impagliazzo and Rudich (STOC 1989) gave a black-box separation between 
one-way functions and public-key encryption: informally, a public-key encryption scheme cannot be 
constructed using one-way functions as the sole source of computational hardness. In addition, this 
implied a black-box separation between one-way functions and protocols for certain Secure Function 
Evaluation (SFE) functionalities (in particular, Oblivious Transfer). Surprisingly, however, since then 
there has been no further progress in separating one-way functions and SFE functionalities (though 
several other black-box separation results were shown). In this work, we present the complete picture for 
deterministic 2-party SFE functionalities. We show that one-way functions are black-box separated from 
all such SFE functionalities, except the ones which have unconditionally secure protocols (and hence do 
not rely on any computational hardness), when secure computation against semi-honest adversaries is 
considered. In the case of security against active adversaries, a black-box one-way function is indeed 
useful for SFE, but we show that it is useful only as much as access to an ideal commitment functionality 
is useful. 

Technically, our main result establishes the limitations of random oracles for secure computation. 
We show that a two-party deterministic functionality / has a secure function evaluation protocol in the 
random oracle model that is (statistically) secure against semi-honest adversaries if and only if / has 
a protocol in the plain model that is (perfectly) secure against semi-honest adversaries. Further, in the 
setting of active adversaries, a deterministic SFE functionality / has a (UC or standalone) statistically 
secure protocol in the random oracle model if and only if / has a (UC or standalone) statistically secure 
protocol in the commitment-hybrid model. 

Our proof is based on a "frontier analysis" of two-party protocols, combining it with (extensions of) 
the "independence learners" of Impagliazzo-Rudich/Barak-Mahmoody. We make essential use of a com- 
binatorial property, originally discovered by Kushilevitz (FOCS'89), of functions that have semi -honest 
secure protocols in the plain model (and hence our analysis applies only to functions of polynomial-sized 
domains, for which such a combinatorial characterization is known). 

Keywords: Secure Function Evaluation, Random Oracle Model, One- Way Function, Random Permutation Oracle, Ideal Ci- 
pher, Symmetric Primitives, Black-Box Separation. 
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1 Introduction 



How useful is a random oracle in two-party secure function evaluation (SFE)? One obvious use of a random 
oracle is for implementing commitment. We show that, remarkably, for 2-party SFE 1 a random oracle by 
itself is only as useful as a commitment functionality. 

This result has important implications in understanding the "complexity" of secure function evaluation 
functionalities vis a vis computational primitives like one-way functions. An important goal in cryptography 
is to understand the qualitative complexity of various cryptographic primitives. In the seminal work of 
Impagliazzo and Rudich [IR89] a formal framework was established to qualitatively separate cryptographic 
primitives like symmetric-key encryption and public-key encryption from each other. Understanding that 
such a separation exists has been hugely influential in theoretical and practical cryptographic research in the 
subsequent decades: to optimize on both security and efficiency dimensions, a cryptographic construction 
would be based on symmetric-key primitives when possible, and otherwise is shown to "require" public-key 
primitives. 

Beyond encryption, the result in [IR89] already implies the separation of certain SFE functionalities (in 
particular, Oblivious Transfer) from one-way functions. Surprisingly, however, since then there has been no 
further progress on separating SFE functionalities and one-way functions (though several other black-box 
separation results have emerged [Sim98, GKM+00, GMR01, BPR+08, KSY11, MM11]). In this work, 
we present the complete picture for deterministic 2-party SFE functionalities: we show that in the case 
of security against semi-honest adversaries, all of them are black-box separated from one-way functions, 
except the ones which are trivial (which have unconditionally perfectly secure protocols). In the case of 
active adversaries, a black-box one-way function is indeed useful for SFE, but we show that it is useful 
only as much as access to a commitment functionality is useful (and explicitly characterize the functions for 
evaluating which it is useful). 

Our work could be viewed as a confluence of two largely disjoint lines of work — one on black-box 
one-way functions, and one on the structure of secure function evaluation functionalities. The former line es- 
sentially started with [IR89]. The latter can be traced back to concurrent work [CK89, Bea89, Kus89] which 
combinatorially characterized which finite (2-party) functionalities have (perfectly) semi-honest secure pro- 
tocols. This property, called decomposability [Kus89] will be important for us. Several later works obtained 
such combinatorial characterizations of SFE functionalities in different contexts (e.g., [Kil91, BMM99, 
KKMO00, MPR10, KM11, Krell]). 

An important ingredient of our proof is the "frontier analysis" approach from [MPR09, MOPR11]. As 
we shall see, frontier analysis provides a powerful means to explicitly work with otherwise-subtle condi- 
tional probabilities, especially as arising in 2-party protocols. In essence, it is simply a means to explicitly 
keep track of the order in which various events occur in a protocol (or more generally, in a sequence of 
random variables). But as we shall see, having an explicit mental picture lets us define frontiers and reason 
about their properties that are a priori not obvious (see Figure 2 in Section 5.1, for instance). The proof 
in [CI93] could in fact be viewed as an instance of frontier analysis (and is one of the earliest ones that the 
authors are aware of). An instance of such an approach in a non-cryptographic setting is present in the recent 
work of Barak et al. [BBCR10], who consider frontiers in a protocol where significant amounts of "new and 
relevant" information is revealed, and use this to reduce the total amount of communication. 

1 We restrict our treatment to SFE functionalities with finite (or at most polynomial-sized) domains. This is because, even 
without random oracles, a tight characterization of realizable functionalities is known only with this restriction. 
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1.1 Our Results 



We summarize our main results below. Our main result is the following. 

Theorem 1.1. A deterministic two-party function f, with a polynomially large domain, has a semi-honest 
secure protocol against computationally unbounded adversaries in the random oracle model if and only if 
f has a perfectly semi-honest secure protocol in the plain model. 

We remark that such / can be explicitly characterized as decomposable functions as defined in [Kus89] 
(if / is symmetric), or more generally, as those for which the symmetric function /' obtained as the "common 
information" part of f 2 is decomposable and / and /' are "isomorphic." 3 

In this theorem, as is conventional in much of the work on the combinatorial structure of SFE func- 
tionalities, we restrict ourselves to functions whose domain size is polynomial in the security parameter. A 
full combinatorial characterization of semi-honest securely realizable functions (even in the plain model) is 
known only with this restriction. In particular, there are undecomposable functions, with super polynomial 
domain size, which are semi-honest securely realizable. Henceforth, unless mentioned otherwise, whenever 
we consider a function we shall assume that its domain size is polynomial in the security parameter. 

The above result — that random oracles are useless for 2-party SFE — does not hold in the case of 
security against active adversaries. In particular, note that the commitment functionality Fcom, can be 
constructed UC-securely in a black-box manner from random oracles, and so, all the functions which can 
be UC-securely computed in the Tcom hybrid can also be UC-securely computed in the random oracle 
model. But we shall show that this is all that a random oracle is useful for in 2-party SFE. This follows from 
Theorem 1.1 and a compiler from [MPR09] that turns semi-honest secure protocols to UC-secure protocols 
in the J^oM-hybrid model (see proof in Section 6). 

Theorem 1.2. A deterministic two-party function f, with a polynomially large domain, has a statistically 
UC-secure (and equivalently, a statistically standalone-secure) protocol in the random oracle model if and 
only if f has a statistically UC-secure (and equivalently, a statistically standalone-secure) protocol in the 
Fcom hybrid. 

We remark that such / can be characterized as those for which, on removing all "redundant inputs" 4 one 
at a time, we obtain a function of the kind in Theorem 1.1. 

Blackbox Separations. Black-box constructions form a general framework of obtaining a (more complex) 
cryptographic primitive Q (e.g., pseudorandom generators) from another (perhaps simpler) cryptographic 
primitive V (e.g., one-way functions) while V is used in the implementation of Q only as a black-box and the 
security of Q is proved based on the security of V also through a black-box argument. Apart from being the 
most common kind of reductions used in cryptographic constructions (with "provable security"), black-box 

2 For a deterministic two-party function / : X X y — > Za X Zb, the common information function /' is defined as follows (see 
for e.g., [MOPR1 1]): consider the bipartite graph consisting of nodes of the form (x, a) £ X x Za and (y, b) £ y x Zb, with an 
edge between (x, a) and (y, b) iff f(x, y) — (a, b). Then /' maps (a;, y) to the connected component containing (x, a) and (y, b) 
where f(x, y) = (a, b). Intuitively, f'(x, y) reveals only that part of the information about (a;, y) that / reveals to "commonly" to 
both Alice and Bob (and so they know that it is known to the other party as well). 

3 fo and /i are isomorphic if there is a UC and semi-honest secure protocol for evaluating either function which uses a single 
instance of the other function with no other communication. In particular, if either function has a semi-honest secure protocol in 
the random oracle model (respectively, plain model), then the other one has such a protocol too. 

4 Alice's input x to / is said to be redundant (for security against active adversaries) if there is an input x' 7^ x that dominates 
x: i.e., Alice can substitute x' for x without Bob noticing while still being able to calculate her correct output. 
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reductions provides us with a framework to understand "complexity" of cryptographic primitives. This line 
of research was initiated in the seminal work of Impagliazzo and Rudich [IR89] who showed that public-key 
cryptography is strictly more complex than symmetric-key cryptography (say, one-way functions) under this 
framework. 

Theorem 1.1 is proven in the computationally unbounded setting, and the honest-but-curious adversaries 
implicit in our proofs use super-polynomial computational power (even if the honest parties were polynomial 
time). However, similar to the results in [IR89], this can be translated to a statement about black-box 
separation of semi-honest SFE protocols (for functions without perfectly secure protocols) from one-way 
functions, in a probabilistic polynomial time (PPT) setting. Intuitively, this is so because a random oracle 
is a strong one-way function (but for the drawback that it does not have a small code to implement it); 
so, if one-way function is the sole computational primitive needed for a construction, and it is used in a 
black-box manner, then it should be possible to base the construction on a random oracle instead. Hence, 
ruling out secure protocols in the random oracle model in the computationally unbounded setting would rule 
out protocols in the PPT setting that base their security on one-way functions in a black-box manner. The 
technicalities depend on the formal definition of black-box reduction. We follow the definitions in [RTV04], 
with slight technical modifications, to state our results. A formal statement appears in Theorem 7.2. We 
summarize this result informally below. 

Theorem 1.3. (Informal.) For a deterministic two-party function f, with a polynomially large domain, there 
is a fully black-box reduction of semi-honest secure function evaluation of f to one-way functions if and only 
if f has a perfectly semi-honest secure protocol in the plain model. 

Though we state the result for one-way functions, in fact, any collection of primitives that can be con- 
structed from a random oracle (or ideal cipher) or a random permutation oracle 5 in a black-box manner - 
one-way functions, one-way permutations, collision resistant hash functions, block-ciphers (including expo- 
nentially hard versions of these primitives) - is useless for 2-party SFE, if the primitives are used in a fully 
black-box manner. 

As in the case of Theorem 1.1, the above statement can be extended to the case of security against active 
adversaries. 

Theorem 1.4. (Informal.) For a deterministic two-party function f, with a polynomially large domain, there 
is a fully black-box reduction of UC (or stand-alone) secure function evaluation of f to one-way functions 
if and only if f has a statistically UC (or stand-alone) secure protocol in the J- C oM-hybrid model. 

Note that, though commitment is already known to be black-box equivalent to one-way functions, statis- 
tical (standalone) security in the J^oM-hybrid is, on the face of it, more restrictive than standalone security 
in the PPT setting using fully black-box commitments. Further, the theorem holds for not only one-way 
functions, but also the other computational primitives mentioned above. 

1.2 Related Work 

Impagliazzo and Rudich [IR89] showed that random oracles are not useful against a computationally un- 
bounded adversary for the task of secure key agreement. This analysis was recently simplified and sharpened 
in [BM09]. These results and techniques are one starting point for our result. 

5 We point out that Theorem 1.1 extends to a random permutation oracle, as argued in [IR89]: otherwise, we can construct an 
efficient distinguisher between a length preserving random oracle and a length preserving random permutation oracle for "long" 
inputs, and this can be shown to be impossible (as it is improbable to find collisions in a random oracle). 
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Following [IR89] many other black-box separation results followed (e.g., [Sim98, GMR01, BPR+08, 
KSY11, MM 11]). In particular, Gertner et al. [GKM + 00] insightfully asked the question of comparing 
oblivious-transfer (OT) and key agreement (KA) and showed that OT is strictly more complex (in the 
sense of [IR89]). Another trend of results has been to prove lower-bounds on the efficiency of the im- 
plementation reduction in black-box constructions (e.g., [KST99, GGKT05, LTW05, HHRS07, BM07, 
BM09, HHRS07]). A complementary approach has been to find black-box reductions when they ex- 
ist (e.g., [IL89, Ost91, OW93, Hai08, HNO+09]). Also, results in the black-box separation framework 
of [IR89, RTV04] have immediate consequences for computational complexity theory. Indeed, separations 
in this framework can be interpreted as new worlds in Impagliazzo's universe [Imp95]. 

Frontier analysis is possibly implicit in previous works on proving impossibility or lower bounds for 
protocols. For instance, the analysis in [CI93] very well fits our notion of what frontier analysis is. The 
analysis of protocols in [CK89, Bea89, Kus89] also have some elements of a frontier analysis, but of a 
rudimentary form which was sufficient for analysis of perfect security. In [MPR09] frontier analysis was ex- 
plicitly introduced and used to prove several protocol impossibility results and characterizations. [KMR09] 
also presented similar results and used somewhat similar techniques (but relied on analyzing the protocol by 
rounds, instead of frontiers, and suffered limitations on the round complexity of the protocols for which the 
impossibility could be shown). We also rely on results from [MOPR1 1] to extend the result to general SFE 
functionalities as opposed to symmetric SFE functionalities. 

1.3 Technical Overview 

We rely on a careful combination of the techniques in the black-box separation literature (in particular [IR89, 
BM09, DLMM1 1]) and new frontier analysis techniques. Below we briefly explain the overall approach and 
point out some of the highlights. 

A clear starting point of our investigation is the "independence learner" of [IR89, BM09] which shows, 
in a protocol between Alice and Bob involving private queries to a random oracle, how to make several (but 
polynomially many) additional queries to the random oracle and make Alice's and Bob's views (conditioned 
on their inputs) independent of each other. However,from this independence property it is not immediate to 
conclude that random oracles are useless in SFE protocols. One conjecture (which we are not able to prove) 
would be that the effect of the random oracle can be "securely simulated" in the plain model, and then any 
protocol in the random oracle model can be compiled into a plain-model protocol that is as secure as the 
original one. This would avoid the need to rely on combinatorial characterizations of SFE functionalities, 
and indeed show that random oracles are useless for virtually any protocol (up to small, but non-negligible 
errors inherent in the independence learner). However, in this work we do not obtain such a compiler. In 
particular, we do not rule out the possibility that in fact random oracles could have unsimulatable effects, 
and may aid in secure computation of randomized functionalities, or functionalities with super-polynomial 
input domains. 6 

This leads us to the techniques used in showing that a symmetric SFE functionality / is semi-honest 
securely realizable if and only if it is decomposable. The strongest version of this result was proven using 
frontier analysis in [MPR09]. However, as we shall see, we need a significantly more sophisticated argument 
here. 

6 An earlier version of this work (presented in [Majl 1]), pursued this approach, and appeared to succeed. However, on closer 
scrutiny a major gap was found in the case when both Alice and Bob can have private inputs, which we have not been able to repair. 
Indeed, based on our current understanding, we do not conjecture that the random oracle can be compiled away from all protocols 
involving private inputs to both the parties. 
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1.3.1 Frontier Analysis Meets Random Oracles 



First we describe why naive attempts at generalizing the argument used to characterize functions with SFE 
protocols in the plain model [MPR09] fail in the random oracle setting. 

The plain model result crucially relies on the following "locality" property. When Alice sends the next 
message in a plain model protocol, she can reveal (i.e., add to the transcript) new information only about 
her own input but not about Bob's inputs. So, during the execution of the protocol, Alice and Bob would 
alternately reveal information about their inputs x and y respectively. Suppose we define two frontiers: Fx, 
where (significant, additional) information about x is first revealed, and Fy where (significant, additional) 
information about y is first revealed in the transcript. By the locality property, Fx consists of nodes where 
Alice has just sent out a message, and Fy consists of nodes where Bob has just sent out a message. Firstly, 
for the sake of correctness, information about x and y need to be revealed by the end of the protocol, 
and hence, Fx and Fy are almost "full" frontiers (i.e., there is only a small probability that an execution 
finishes without passing through both frontiers). 7 To draw a contradiction we rely on the property that, for 
an undecomposable function, it will be insecure for either party to reveal information about their input first. 
In terms of the frontiers, this says that it will be insecure if, a (significantly probable) portion of Fx appears 
above Fy, or if a (significantly probable) portion of Fy appears above Fx- Combined with the fact that 
both frontiers are almost full, this rules out secure protocols for undecomposable functions. 

Handling the Random Oracle. In the presence of a random oracle, we lose the locality property (that 
Alice's message is independent of Bob's input, conditioned on the transcript). It becomes possible that a 
correlation is established between Alice's and Bob's views via the common random oracle, even conditioned 
on the transcript. Indeed, given a random oracle, a secure protocol for even OT is possible unless the 
curious parties query the oracle on points other than what is prescribed by the protocol. Hence, to be 
meaningful in the presence of an oracle, we must define the information revealed by a transcript as what 
a curious eavesdropper making additional (polynomially bounded) queries to the oracle, can learn. This is 
where the independence learner "Eve" of [IR89, BM09] is relevant. Intuitively, Eve attempts to learn as 
much as possible (staying within a budget of polynomially many oracle queries), by making all "important" 
queries to the oracle after each message in the protocol. By including the information obtained by Eve into 
the transcript itself, we can ensure that the frontiers do correspond to points where certain information is 
revealed, conditioned on the information obtained by Eve. Being a semi-honest setting, it is not relevant 
when these queries are performed; but for our frontier analysis, it will be important to consider the curious 
eavesdropper as running concurrently with the protocol, querying the oracle as many times as it wants, after 
each message in the protocol. 

Main Challenge. Once the transcript is augmented with Eve's view, one could hope that the previous 
analysis from [MPR09] can be applied. Indeed, in this augmented protocol, the locality property is restored. 
However, now we have introduced new messages in the transcript (namely Eve's interaction with the random 
oracle), and these messages could be correlated with both Alice's and Bob's inputs! This is the core issue 

7 As we shall see, for undecomposable functions, this must hold even if there are inputs for one party (say Bob) for which the 
function becomes constant. That is, Fy needs to be crossed even for executions in which Bob's input is a value y for which the 
function /(■, y) is constant. This is because, by undecomposability, for certain values of Alice's input x, and another input y' for 
Bob, f(x, y) — f(x, y') where f{-,y') is not constant, and then by security, the execution with input (x, y) has to be close to the 
execution with input (x, y'). In the latter, information about y needs to be revealed. 
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that we need to tackle. 

Our Solution. Now we give an intuitive (but imprecise) description of our proof. As above, we shall 
define the frontiers Fx and Fy where information about x and (respectively) about y is first revealed in the 
(augmented) transcript. Now, information about x or y could be revealed when Alice sends out a message, 
Bob sends out a message, or Eve obtains its answers from the oracle. We will be able to rule out information 
about x being revealed by a message from Bob, or information about y being revealed by a message from 
Alice (this corresponds to Claim 5.6), but this leaves open the possibility that an answer for an Eve query to 
the oracle reveals information about x and y simultaneously. 

To address this, we pursue the following intuition: suppose no information about y has been revealed so 
far, and Alice sends out a message; suppose some information about x is revealed not immediately by this 
message, but after Bob (and Eve) carry out oracle queries and respond to Alice's message (but before Alice 
responds again). (Our concern is that this information could depend on x and y simultaneously.) Then we 
demonstrate a curious Bob strategy that can learn the same information about x, irrespective of his actual 
input y. The intuition behind this strategy is the following: consider the point immediately after Alice sent 
out her message. Bob samples for himself a view conditioned on an alternate input y' such that an actual 
execution with input (x, y') reveals information about x that should not be revealed when Bob's input is 
y. Bob can simulate the execution with input y' for himself, starting from this point until the next message 
from Alice, without interacting with Alice; however, the oracle Bob has access to is conditioned on the 
actual pair of inputs (x, y), and not (x, y'). Clearly, it will be pointless to use this oracle directly to simulate 
the execution with input (x, y'). A crucial observation at this point (this corresponds to Claim 5.7) is that, it 
is highly unlikely for an oracle query that is not in Eve's view to be present in both Alice's view and Bob's 
view (or the sampled view for Bob). This lets Bob simulate an oracle conditioned on (x, y') as follows: if 
an oracle query is already answered in the sampled view for Bob (with input y'), use it (it is likely not to 
have been asked by Alice); else, if an oracle query is present in the original view for Bob (but not present in 
the sampled view, and neither in Eve's view), then "undo" the effect of the query in Bob's view by sampling 
a new answer for it (again, it is unlikely to have been asked by Alice); if not, use the actual oracle (thus 
ensuring that any queries already present in Alice's view are consistently answered). This allows curious 
Bob to seamlessly replace the actual oracle with an oracle consistent with inputs [x, y'), even though he 
does not know x or Alice's view of the oracle. What facilitates this, in addition to the fact that Eve captures 
all intersection queries, is the special "modular" nature of the random oracle. 

This essentially means that when information about x is revealed, information about y must have been 
revealed already by the time the last message was sent by Alice (even if the information about x is revealed 
only during subsequent queries to the oracle by Bob or Eve). Further, as mentioned above, since Alice could 
not have revealed information about y, this information about y must have been revealed strictly before the 
last message from Alice, and in particular, strictly before the information about x was revealed. This is 
captured in Claim 4.2 which implies that (in terms of the simplified presentation above) Fx can be reached 
only strictly after passing through a node in Fy. 

Some Technical Issues. Formalizing the above intuitive description presents several challenges. The most 
important aspect is the appropriate definition of the frontier, and the statement regarding the ordering of the 
frontiers. For the above curious Bob to have an advantage, the information revealed about x should have 

8 This is the issue that was not correctly handled in a previous attempt by the authors (in [Maj 1 1]), in trying to compile away the 
random oracle. The current frontier analysis based approach avoids subtle probabilistic reasoning which is invariably fraught with 
dangers of false intuition. 
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been after the last message from Alice. For each node u we define Apred(u) to correspond to the last 
message from Alice; however for a node u which itself corresponds to a message from Alice (where the 
argument relies on the locality property and not the above curious Bob strategy) Apred(n) is defined as 
its parent node. Another important issue is that, above we argued in terms of "the probability of reaching a 
segment." However, this probability depends on the inputs. (The set of nodes in the frontier does not change; 
only the distribution over them changes.) Whether these probabilities are similar or different depends on 
whether the inputs have already been distinguished or not. Note that we use properties of these distributions 
to reason about the ordering of the frontiers, and these distributions themselves depend on the ordering of 
the frontiers! Much of our technical difficulties arise from circumnavigating potential circularities. 

1.3.2 Using the Independence Learner 

As mentioned above, a crucial tool for analyzing protocols using a random oracle is to show that by making 
polynomially many queries to the oracle, an eavesdropper Eve can get sufficient information such that 
conditioned on this, Alice and Bob's views in the protocol are almost always close to being independent (up 
to an inverse polynomially small error). This is a delicate argument implicitly proved in [BM09] building 
on ideas from [IR89], and was first explicitly described in [DLMM11]. The view of such an Eve is part of 
the augmented transcript, with respect to which the frontiers are defined. 

A subtle issue to address when extending this Eve to our case is that Alice and Bob receive inputs 
from an arbitrary environment and Eve does not see the inputs. In particular, Alice and Bob could receive 
correlated inputs, and we cannot claim that their views, conditioned on Eve's view, are (almost always, 
close to being) independent. However, we can create an Eve which is oblivious to the actual inputs, but for 
every input pair (x, y) of inputs, when the protocol is executed with these inputs, Alice's and Bob's views 
conditioned on Eve's view are (almost always, close to being) independent. For this, we take Eve to be as 
defined in [BM09] (presented in Lemma A.l), but applied to an inputless protocol obtained by considering 
our original protocol but with inputs (x, y) that are chosen initially at random (say as part of the randomness 
of the two parties). Initially this Eve considers the actual input to be of significant probability (since the 
inputs come from a polynomially large domain). In analyzing this Eve, we rely on an argument that with 
significant probability, at any round of the protocol, this Eve will consider the actual input to be a likely 
input (Lemma 2.1). 

In our analysis sketched above, there are two guarantees from this Eve that we rely on, captured in 
Claim 5.6 and Claim 5.7, as described below. 

1) Alice's Message Independent of Bob's Input. Firstly, recall that the purpose of introducing Eve's 
view into the transcript was to restore the "locality property" - i.e., Alice's messages, conditioned on Eve's 
view, are independent of Bob's view. More precisely, we will need the guarantee that at a point where Alice 
is about to send a message, if two inputs of Bob, y and y' are both somewhat likely, then Alice's message 
is almost independent of which of these two inputs Bob has. This is stated in Claim 5.6, and follows from 
Lemma A.2 proven in Appendix A. Note that we need this to hold (and this holds) only at points where both 
of Bob's inputs y and y' are somewhat likely. (In using this claim, the points considered will be above the 
frontier Fy so that all inputs for Bob are significantly probable.) 

2) Collisions of Private Queries Unlikely. The second place where we rely on Eve's properties is in 
arguing that the curious Bob strategy outlined above works: i.e., that when curious Bob samples a view for 
himself after Alice sends a message, it is unlikely that there will be an oracle query in either his actual view 
or in the freshly sampled view that occurs in Alice's actual view, but is not present in Eve's view. This is 
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stated in Claim 5.7 and follows from Lemma A.3 proven in Appendix A. We need this to occur only when 
the "fake" input y' used for the sampled view is somewhat likely. (Again, the claim will be applied only to 
points above the frontier Fy, and all inputs are somewhat likely there.) We remark that, just for the actual 
views, similar statements were already explicitly proven in [IR89, BM09], bounding the probability of an 
"intersection query" that is not present in Eve's view. The additional twist in our case is that we need to 
also consider the view sampled for a "fake" input; further, Bob's views we consider are not at the point Eve 
finishes a round of oracle queries, but after a subsequent message from Alice. 

It is important to note that Bob's views considered here consist of the oracle queries he made only up 
to the point he sent his previous message to Alice (even though the views include the last message from 
Alice). Lemma A.3 would not be true, if instead we consider Bob's views including oracle queries he makes 
after receiving Alice's last message. The reason is that the last message sent from Alice can simply tell Bob 
that Alice has asked a random new query q and Bob might make the same query immediately afterwards. 
This way, the information that was gathered by Eve till the end of the previous round (before Alice sent her 
message) is incapable of catching this intersection query. 

2 Preliminaries 

In this section we introduce some basic notation, conventions and definitions. (Further conventions needed 
shall be introduced in their respective sections). 

2.1 Secure Evaluation of 2-Party Functions 

2-Party Functions. A (deterministic) 2 -party function f : X xy i-)- Za x Zb maps a pairs of inputs (x, y) 
(associated with Alice and Bob respectively) to a pair of outputs (a, b) (for the two parties, respectively). For 
most part in our proofs, we shall be dealing with symmetric 2-party functions which produce two identical 
outputs (or equivalently, a single output given to both parties). 

For symmetric functions, an Alice-cut is a partition (X, X) of the input space X such that for any 
x £ X, x G X and y € y f(x, y) ^ f(x, y). The functions associated with an Alice-cut (X, X) are the 
two restrictions of /, restricted to domain X x y and to domain X xy. A Bob-cut and functions associated 
with it are defined similarly. 

Now, we define decomposable functions / in the following recursive manner [Kus89, Bea89]: 

1 . A constant function is decomposable. 

2. If / has an Alice-cut or a Bob-cut and the two functions associated with that cut are both decomposable 
then / is decomposable. 

A function is undecomposable if it is not decomposable. Moreover, it is said to be undecomposable at the 
top-most level, if / : X x y t- y Z does not have an Alice-cut or Bob-cut (refer Appendix B for some 
examples). 

Secure Function Evaluation. A Secure Function Evaluation (SFE) functionality is associated with a 2- 
party function /: the ideal SFE functionality accepts x from Alice, y from Bob, computes f(x, y) = (a, b) 
and gives a to Alice and b to Bob. We shall refer to the SFE functionality and the two-paty function asso- 
ciated with it, interchangeably. For most part, we shall consider protocols for SFE functionalities that are 
secure against semi-honest adversaries. Our final theorems consider the two standard notions of security 
against active adversaries as well, namely, standalone security and Universally Composable (UC) security. 
Mostly we work with statistical security, which places no computational limitations on the parties or envi- 
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ronment; but we do state consequences for our results for security in the computational setting as well. We 
omit a detailed description of the standard security definitions. As it turns out, in our results, there would 
be no distinction between UC security and standalone security. (Readers unfamiliar with the details of the 
definitions may ignore the few places in our proofs where we discuss the two notions separately, to establish 
their similarity.) 

Security Definitions. Security of protocols is defined under the standard simulation paradigm. We con- 
sider semi-honest security in which the adversary and the simulator are semi-honest (a.k.a. passive or honest- 
but-curious), and also active-security. In the latter case security can be considered in the standalone setting 
or the universally composable setting. The statistical difference between the views of the environment in the 
real and ideal executions, maximized for each simulator over all environments, and then minimized over all 
simulators, will be called the "security error" of a protocol. 

We can in fact work with a (weaker) game based definition of semi-honest security which only requires 
that if f(x,y) = f(x,y') Alice's views in the two executions with inputs (x,y) and (x,y') should be 
(statistically) indistinguishable from each other; similarly Bob's views for executions with inputs (x, y) and 
(x, y) should be indistinguishable, if f(x, y) = f(x', y). This definition is identical to the simulation based 
definition in the computationally unbounded setting; but when considering the PPT setting (for black-box 
separation results), the weaker security definition makes our results stronger, and more amenable to being 
framed in terms of the definitions in [RTV04]. 

2.2 Random Oracles 

An oracle O is specified by a function (from queries to answers) chosen according to a specified distribution. 
This choice is made before answering any query, however for the sake of analysis of the protocol we can 
choose the randomness of the oracle along the way as the parties interact (this is also known as the lazy 
evaluation of the oracle). In this paper, we shall use O which are random oracles, i.e. every query is 
independently mapped to an image chosen uniformly at random. 

Security Parameter of O. We shall associate a security parameter k with the queries to the oracle, and 
will invariably require that the length of the queries and their answers is polynomial in k (e.g., O for the 
security parameter k could be a random function from {0, 1} K to {0, 1} K ). For simplicity, any protocol using 
the oracle would make all queries with the same security parameter as the protocol's own security parameter. 

Query Operator. For any view V of some oracle algorithm interacting with O, we denote the set of oracle 
queries made by the algorithm according to the view V by Q(V). 

2.3 Frontiers 

Consider a (possibly infinite) sequence of correlated random variables (mi , rri2 ,...)• We consider a natural 
representation of such a sequence as a rooted tree, with each level corresponding to a random variable uii 
and each node v at depth t in the tree is uniquely identified with an assignment of values (mi,m2, . . . , nit) 
to (mi, rri2, . . . , mt), such that (mi, m-2, . . . , mt-\) is equal to the values identified with its parent node. 
Then we can identify the sequence of values of these random variables with a unique path in this tree, 
starting at the root. 

We can identify a set of nodes S in this tree with the event that the path corresponding to the values 
taken by the random variables intersects S. A frontier on this tree corresponds to a set F of nodes which is 
"prefix-free" (i.e., no two nodes in F are on the same path starting at the root). We often define a frontier 
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using a predicate, as the set of nodes which satisfy the predicate but do not have an ancestor which satisfies 
the predicate (i.e., the predicate is satisfied for the "first time"). Note that the frontier event is deterministic 
given a node in the tree (though the event could be in terms of the probability of other events at that node). 

The tree naturally defines an "ancestor" partial order of the nodes in the tree: we say u -< v if u occurs 
somewhere on the path from the root of the tree to v (u could be identical to v). \fu<v, but u 7^ v, then we 
write u -< v. 

Invariably, we consider this tree only with sequence of random variables corresponding to the messages 
exchanged in a protocol (but possibly augmented by additional messages added for analysis). Though not 
necessary, it will be convenient to consider the underlying process as consisting of picking a uniformly 
random input and then executing the protocol. However, clearly, the tree and frontiers can be used to 
represent any sequence of random variables. 

As a simple illustration of the routine arguments we carry out over such a tree, we state and prove a 
simple lemma (which gets used later in the paper). In Lemma 6.4 of [IR89] it was shown how to obtain an 
upper-bound on the conditional probability of an unlikely event under a sequence of leaking information. 
The following lemma can be thought of as a "dual" statement showing that if the event is noticeable, when 
it actually happens, then it remains noticeable conditioned on a sequence of leakages. More formally we 
prove the following. 

Lemma 2.1. Consider a sequence of correlated random variables (mi, 111 2 , . . . ) For any event X jointly 
distributed with these variables, let S be the event that there exists t such that P[X | (mi,m2, . . . , mj)] < 6. 
Then it holds that P[S \ X] < 0/P[X]. 

Proof. Consider the tree representing the sequence of random variables (mi, rri2, . . . ). The event S corre- 
sponds to a subset of nodes in this tree: S = {v \ P[X \ v] < 9}. Define U to be the frontier of nodes in S 
that do not have a strict ancestor in S; namely, U = {v \ v G S and for all u s.t. u^v,u S}. Note that 
P[S I X] = P[U I X}. Further, 

P[U \X] = J2 p [ u \ x \ = Yl P ^ X I u ] p M/PW < eP[U]/P[X] < 9/P[X}. □ 

A corollary to Lemma 2.1 is that in a protocol execution, the actual inputs of Alice and Bob will not 
become "unlikely" conditioned on the transcript, except with small probability. 

3 Transcript Tree and Other Notation 

In this section, first we define the tree notation that is used throughout our analysis. We shall also define the 
frontiers on this tree that are central to our analysis. 

Augmented Protocol Execution. We shall consider two-party protocols II where Alice and Bob interact 
to evaluate a (symmetric) function / : X x y — > Z on their respective local inputs x G X and y £ y. We 
shall assume that \X\ and \y are both polynomial in the security parameter. Alice and Bob have access to 
a random oracle O. We "augment" the protocol II with a "public query strategy" Eve, which can see the 
publicly generated transcript and can also query the random oracle. For simplicity, we consider Eve to be 
deterministic (as will be the case in our instantiation of Eve). Later, we will instantiate Eve from Lemma A. 1 
(applied to an inputless protocol obtained by using uniformly randomly chosen inputs for II). 
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When Alice is supposed to generate the next message, she queries the random oracle at some points. 
Based on her local view, she then generates the next message of the protocol using her next message gen- 
eration algorithm. Similarly, Bob also generates the next message of the protocol during his turns. Eve, on 
the other hand, simply performs several queries to the random oracle and announces all her queries and their 
corresponding answers at the end of her turn. For concreteness we shall assume that the protocol starts with 
Alice sending a message. Alice and Bob take turns alternately, with Eve getting a turn after every Alice or 
Bob message (i.e., the messages will be sent by Alice, Eve, Bob, Eve, and again Alice, Eve and so on.). 

We shall refer to this protocol as the "augmented protocol" (II, Eve). 

Augmented Transcript Tree T + . Our analysis considers the 
transcript tree T + of an execution of II augmented with a pub- 
lic query strategy Eve. The T + associated with an augmented 
protocol (IT, Eve), is the tree as defined in Section 2.3 with the 
sequence of random variables (mi, rri2, . . . ) being the mes- 
sages added to the transcript of the augmented protocol by Al- 
ice, Eve and Bob during an execution. In other words, the 
nodes in the transcript tree are all the possible partial tran- 
scripts in the augmented protocol execution, with a directed 
edge from a node u to a node v, if the partial transcript asso- 
ciated with v is obtained by adding exactly one message (from 
Alice, Bob or Eve) to the partial transcript associated with u. 

For convenience we add an initial "dummy" round, in 
which Alice sends a fixed message followed by Bob sending a 
fixed message. These correspond to two dummy nodes at the 
root of T + . We shall denote by Anodes and Bnodes the sets of 
Alice and Bob nodes, and by Achildren and Bchildren the sets 
of (Eve) nodes that are children of, respectively, Alice nodes 
and Bob nodes. The tree T + naturally defines an "ancestor" 
partial order of the nodes in the tree: we say u < v if u occurs 
somewhere on the path from the root of the tree to v (u could 
be identical to v). If u X v, but u ^ v, then we write u^v. 
We define ancstrs(u) = {u\w ^ v}. 

An important definition we shall use through out is that of 
Apred and Bpred nodes. 

Definition 3.1 (Apred). For every node v in the transcript tree, except the initial dummy Alice node, we 
define Apred (v) as follows: 

• If v E Achildren, then Apred (v) is the parent of v. 

• If v Achildren, we define Apred(f) to correspond to the last message sent by Alice, before the 
transcript reached v: i.e., Apred(f) = w such that w E ancstrs(v) n Achildren, and for all w' E 
ancstrs(f) n Achildren, w' < w. 

Note that Apred(v) E Achildren U Anodes and Apred(u) -< v. Further, for any node v, the sequence 




Figure 1 : Schematic representation of the 
nodes in T + (including two initial dummy 
nodes). The nodes are labeled A, B and E, 
for Alice, Bob and Eve. The dotted lines 
show the Apred relation. 
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v, Apred (u), Apred (Apred (w)), . . . ends at the initial dummy Alice node. 9 Figure 1 pictorially summarizes 
the Apred relation. 

Similarly, for every node v (except the initial dummy Alice and Bob nodes), we define Bpred(^) as either 
the maximal element of ancstrs(?;) n Bchildren (iff Bchildren) or the parent of v (if v G Bchildren). Note 
that Bpred(-u) G Bchildren U Bnodes and Bpred(u) -< v. 

For any partial transcript w, we define the views of Alice, Bob and Eve consistent with the partial 
transcript w. The Eve view consistent with w is represented by Ve(w). We represent the distribution of 
Alice views and Bob views conditioned on w, when their local inputs are x and y, respectively, by Va,x( w ) 
and V B, y {w) (the bold face emphasizing that these are distributions). The probability is over the choice of 
random tapes for Alice and Bob and the random oracle. We emphasize that the local views of parties contain 
only those query-answer pairs which were generated during next message generation of messages already 
present in w. So, if Alice sends the next message in a round and the resulting transcript was w, then Bob's 
views consistent with w will contain only query-answer pairs which were generated in previous rounds. 
Bob's view gets updated with new query-answer pairs when he sends the next message in the protocol. 

Strictly Above a Set: u< F and F% -< F2. We shall abuse the -< notation slightly, and use it in the 
following senses too: if u is a node and F is a set of nodes, we write u^F (read as u is strictly above F) 
if u can be reached from the root without passing through any node in F (i.e., there is no v G F such that 
v H it); note that for u to be strictly above F, it is not necessary to have any v G F such that u -< v. For 
two sets of nodes F2, we define the event F\ -< F2 to occur if the transcript path of an execution passes 
through a node v G F% strictly before passing through any node in F2 (it may or may not pass through a 
node in F2 afterwards). 

4 Overview of Our Analysis 

Here we sketch the technical details of our frontier analysis (see Section 1.3 for a motivating discussion, and 
Section 5 for the remaining details). 

Suppose n is a 2-party protocol using a random oracle O that ^-securely realizes a symmetric SFE 
functionality / that is not row or column decomposable at the top level (i.e., not even the first step of 
decomposition is possible; as we shall see, it is enough to rule out protocols for such functionalities). Let 
Eve be the public query strategy described in Lemma A.l, with an adjustable parameter eas described there, 
(e = 1/ poly(«) will be tuned later in the proof.) Note that in Lemma A.l, the protocol considered has no 
inputs; in order to define Eve from this, we use an inputless protocol obtained by running II with private 
inputs chosen uniformly at random (as part of Alice's and Bob's local randomness). We shall modify the 
protocol so that at the end of the protocol, Alice adds the output of the protocol to the transcript. (The 
simulation error uq at most doubles by this modification.) We consider the transcript tree T + as described 
above, for this protocol II augmented with Eve. 

Intuitively, we will be arguing that if some information about x has been revealed by the time the 
transcript reaches a node v, some information about x or y must have already been revealed when it reached 
Apred(v). Similarly, for information about y to be revealed at v, some information about x or y should 
already have been revealed at Bpred(w). Together these requirements yield a contradiction. To formalize 

9 We added dummy Alice and Bob nodes at the root level to ensure that Apred and Bpred is well-defined for all the original 
nodes. Note that no information is exchanged until after the protocol passes these dummy nodes, and so these nodes will not be 
part of any of our frontiers defined later. 
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this, we shall define a frontier Fx (and symmetrically Fy) that consists of nodes v such that the "extra 
information" revealed about x at v since reaching Apred(u) is significant. 

More precisely we define the following two frontiers on this tree, in terms of two parameters 5 and 9 
(for concreteness, consider 8 = jj, where N is the depth of the tree T + , and 9 = ggrwyj)- 

• Fx = {v\v is the first node on the path from root to v s.t. By G y, x, x G X, P[y\v] > 9 and 

P[v\Apred(v);x,y] > (1 + 5)P[v\Apred(v); x', y}} 

• F Y = {v\v is the first node on the path from root to v s.t. 3x G X, y, y' G y, P[x\v] > 9 and 

P[v\Bpred(v);x,y] > (1 + 8)P[v\Bpred(v); x, y'}}, 

Here, P[v|iu; x, y] denotes the probability (over the random tapes of the parties and the oracle O) of reaching 
a node v in T + , conditioned on having reached the node w, when the parties run the protocol honestly with 
inputs x and y respectively. We shall also write P[x|u] and P[y|u] to denote the probabilities of x and y being 
the inputs for Alice and Bob, respectively, conditioned on a protocol execution with a uniformly random 
input pair reaching the node v. 10 Intuitively, the quantity max,,, & y | log P[u|u;; x, y] — log P[u|u;; x', y]\ 
measures the amount of information about Alice's input that is revealed at v, since passing through w = 
Apred(t> ). This quantity is "significant" if it is beyond a threshold log(l + 8) (where, for concreteness, 
5 = 1/jv, A?" being the depth of T + ) and if it is realized by a y which is somewhat likely (i.e., P[y|v] > 9). 
In our proofs, it will be useful to consider frontiers F x and F Y which are defined identically as F x and 
Fy, but with 9 = 0, i.e. these frontiers are considered without the restriction of P[y|u] > 6 and P[x|f] > 9 
respectively. 

Based on the correctness and the security of the protocol, and using the fact that f is undecomposable at 
the top level, we shall first prove that these frontiers are almost "full frontiers" (when vq, the security error 
for II, is negligible and 9 is set sufficiently small): 

Claim 4.1. On an execution over T + with a random input pair (x, y), for any value of 9, the probability 
that the transcript does not pass through F x (or symmetrically, F Y ) is at most poly(| X \ \y\) ■ 9 + 0(vq). 

This is proven as Claim 5.3. Given that these frontiers exist, next we prove a restriction on how they 
can occur relative to each other, leading to our final contradiction. Intuitively, the claim states the following: 
suppose a transcript passes through a node u G F x ; in a secure protocol not only should u occur only at or 
below the frontier F Y , but even Apred(n) should occur only at or below F Y ; that is a node in F Y should 
occur strictly above u. (Similarly, for v G F Y and the frontier F x .) 

Claim 4.2. Consider running the execution on T + with a random input (x, y) where e is the parameter of 
the Independence Learner Eve. The probability that the transcript passes through a node u G F x such that 
Apred(u) -< F Y is at most 

poly(M) . (e n(i) + Vq) + P ol y (|^p|) • 9. 

Similarly, the probability that the transcript passes through a node v G F Y such that Bpred(v) -<F X is 
bounded by the same quantity. 

10 In all our equations, we use the convention that the probability of an event conditioned on a zero-probability event is zero. 
Alternately, we can avoid this by assuming, adding a negligible security error, that for any pair of inputs, any node in T + is reached 
with positive probability. 
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Once we prove this claim (as Claim 5.1), the required contradiction follows easily: by setting 9 small 
enough (but 0(1/ poly(| X\ I3 7 !))), and choosing e for the independence learner appropriately (note that this 
does not affect N), the bounds in above claims can all be driven below, say, any constant (for sufficiently 
large values of the security parameter). Thus with positive probability the transcript must pass through 
u G F x and v G F Y , with v -< u and u -< v, giving us the desired contradiction. 

To prove Claim 4.2, technically, it is more convenient to bound the probability of encountering Fx = 
{u\u G F x and Apred («) -< F Y } (instead of u G F x such that Apred (u) -< Fy). The difference between 
these two events can be bounded relatively easily (see the proof in Section 5.1 for details). In particular, for 
this we use the above Claim 4.1 (with 9 = 0) and a bound on the probability of F x appearing strictly above 
F x and F Y (proven as Claim 5.4): 

P[F Y <{F e x U F Y )\ < 9 V o\y(\X\\y\) (1) 

Intuitively, the bound above says that if F Y is encountered strictly above F x , then it is very likely to occur 
together with F Y ; hence when a part of F x occurs at or above F Y (so that its Apred is strictly above F Y ) it 
is very likely to be at or above F Y too. To upper bound the probability of the former, it is enough to upper 
bound the probability of the latter. 

Bounding P[-Fx] (the probability of reaching Fx with uniformly random inputs) involves several parts: 

• Part 1: Firstly, we show that we can concentrate on a 2 x 2 minor of the function /: that is, xo, x\ G X 

and yo, 2/1 G y such that f(x , y ) = f(xi, yoKbut f(x , yi) / f(x\, yi) if F x has significant probability). 
We show that there exists a segment Fx C Fx such that the inputs (xq, yi) and (x\, yi) are distinguished 
at Fx', and P[Fx] < poly(W\y\/e)P[F^\x ,yi} n 

In the rest of the proof we need to bound P[Fx|xo, Vi]- The segment Fx splits into two parts: nodes u with 
Apred(u) being an Alice node, denoted by Sx, and the ones with Apred(u) being a child of an Alice node, 
denoted by Rx- 

• Part 2: Using Lemma A. 1 we show that Alice's message cannot reveal any (significant) information 
about Bob's input, given the information already present in the transcript of the augmented execution (in 
Lemma A.2). This is used to bound P[Sx\xo, yi]- Note that this part is analogous to the argument when no 
oracle is present, though more involved (without oracles, this property is a trivial consequence of the nature 
of a protocol). 

• Part 3: The most involved part is to bound P[Rx\xq, yi]. Here we want to bound the probability 
that a distinction between xq and x\ is revealed (when Bob's input is y\) at a node u that is not a child of 
an Alice node, but at w = Apred (u) the distinction between yo and y\ has not been made. Since at w, yo 
and y\ is not distinguished by the transcript, in an execution with his actual input being yo, on hitting the 
node w, Bob can mentally switch his input to y\ — i.e., sample a view (including answers from the oracle) 
consistent with the transcript and input yo- We would like to argue that then Bob can continue the execution 
of the protocol (till before Alice should send the next message) and check if it hits u or not, to distinguish 
between xq and x\. However, the execution depends on the random oracle which in turn is correlated with 
both parties' inputs. So Bob cannot sample a correctly distributed random oracle (since he does not know 
Alice's input) nor directly use the actual random oracle he has access to (since it is conditioned on his actual 
input yo and not y{). 

"Note that the need for working with Fx and Fy rather than just F% and Fy is that in this part we rely on the "distinguishing 
input" being somewhat likely. (If 6 — the above bound is useless.) 
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The main idea here is that the independence guarantee from Lemma A.l can be used to let Bob "edit" the 
actual random oracle (conditioned on (x, yo)) to simulate a random oracle conditioned on (x, y%) (without 
knowing x). The editing involves inserting answers consistent with a sampled view (with input yi), "delet- 
ing" answers not present in this sampled view, but is present in the actual view (with input yo) and using 
the original oracle for queries not answered in the sampled view or the actual view. (See Figure 3 for an 
illustration.) The "safety condition" in Claim 5.7 assures that the queries from the sampled view that are 
not in Eve's view (for which the answers from the sampled view are used) and the queries from the original 
view that are not in Eve's view (for which random answers are used) are both unlikely to be in in Alice's 
view; this lets us show that the oracle resulting from the editing is correctly conditioned on the input pair 
(x,yi)- 

The final (passive) attack involves carrying out the above attack at every node w and checking if the curious 
exploration hits the segment Rx in any such exploration. We show that if P[i?x|£o>2/i] has significant 
probability then it will be more likely for the exploration to hit Rx in the exploration with input (xq, yo) 
than in the exploration with input (xi, yo), thereby violating the security condition. 

Throughout the argument, translating intuitive statements about information and probability is compli- 
cated by the fact that the probability of reaching different nodes depends on the inputs themselves. While 
intuitively, some of these distributions must be close to each other until the frontiers Fx and Fy are crossed, 
we cannot often leverage this intuition without being trapped in circular arguments. Nevertheless, going 
through several carefully chosen intermediate steps, we can relate the advantage obtained by Bob in distin- 
guishing xq and x\ when using input yi, with that he obtains when using input yo with the above attack. 

5 Detailed Proof of Theorem 1.1 

In this section we present the remaining details of the proof of Theorem 1.1, that were sketched in Section 4. 

Recall the setting introduced in Section 4: / is a deterministic symmetric two-party function which is 
undecomposable at the top-most level (i.e., not even the first step of decomposition is possible). Suppose II 
is a semi-honest secure SFE protocol for / using a random oracle O with simulation error uq. We defined 
an augmented transcript tree T + , and frontiers F x and F Y in T + . First, we shall state our main technical 
claim about these frontiers in Section 5.1, and show how it follows from several sub-claims that are proven in 
subsequent sections. Based on Claim 5.3 and Claim 5.1, we present the proof of Theorem 1.1 in Section 5.2. 
The sub-claims used in the proof of Claim 5.1 are proven in Section 5.3, Section 5.4 and Section 5.5. 

The technical heart of the proof appears in Section 5.5, which is part of the proof of Claim 5.1. 
5.1 Frontier Ordering 

In this section we shall prove the claim regarding the frontier ordering, Claim 4.2. The claim bounds the 
probability (with uniformly random inputs) of the transcript encountering the following part of the frontier 

F x = {u\u G F x and Apred(u) -< F Y }. 
Figure 2 shows this part schematically. 

Claim 5.1. Let F x ■= {u\u E F x and Apred(u) -< Fy} and Fy := {u\u G F Y and Bpred(u) -< F x }. 
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Figure 2: A schematic representation of the segment Fx (indicated by thicker line). The dotted lines connect 
nodes to their Apred nodes (see Figure 1). Fx contains those nodes u G F x such that Apred (u) occurs 
strictly above F Y . We seek to upperbound the probability P[-Fx] (when the inputs are uniformly chosen). 

Then there exist polynomials £, £' andeo,£i = e^ 1 ) poly(\X\\y\K), such that for any value of 6, 

P[Fx\<t{N\X\\y\/e)-{e Q + E l + v )+t\\X\\y\)-6 (2) 
P[FY]<t{N\X\\y\/e)-{e Q + E l + v Q )+t\\X\\y\)-6 (3) 

Proof. We shall prove Eq. 2 (the second part being symmetrical). That is, we are interested in bounding the 
probability that, on running the execution on T + with uniformly random inputs (x, y), the transcript reaches 
a node in Fx = {u\u G F x and Apred(-u) -< F Y }. We say that the event Fx occurs, if the path from root to 
the generated transcript passes through a node in Fx- 

To obtain an upper bound on P[^x]> we first observe that the event Fx implies the occurrence of one of 
the following three events: 

1. Event F Y : the transcript path does not pass through any node in F Y . 

2. Event F Y -<{F X U F Y ): the transcript path passes through a node z G F Y and z -<{F X U F Y ) (i.e., 
there is no node v G F x U F Y such that v < z). 

3. Event Fx'- the path passes through Fx which is defined similarly to Fx, but replacing F Y by F Y . 
i.e., 

F x = {u\u G F e x and Apred (it) -< F Y }. 

To see this, suppose Fx is encountered, but neither of the first two events occur; then transcript path passes 
through u G Fx, and a node z G Fy, and a node v <z such that v G F x U F Y . We argue that in this case 
Apred(n) -< z; then, since F Y is part of a frontier, Apred(n) -< F Y and hence u G Fx- This is because: 

• If v G F x , then u = v (since u G Fx and v G F x are on the same path), and Apred (u) -<u = v <z. 

• If v G Fy, then v = z (since, v G F Y , z G F Y and v < z z = v) and further, since u G Fx and 
f G F Y are on the same path, by definition of Fx, Apred (u) -< v = z. 
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Thus, it suffices to upper bound the probabilities of each of these three events. We will be able to 
easily bound both P[F y ] and P[F Y -<(F X U Fy)], (Claim 4.1 — proven as Claim 5.3 - and Eq. 1 - proven 
as Claim 5.4 - respectively). The main technical difficulty is in bounding P[-Fx]> which is carried out in 
Claim 5.5. From these three claims we get 

P[Ff] = 0(v Q ) (By Claim 4.1, with 9 = 0) 

P[F Y ^(F e x U F Y )\ < pdy(\X\\y\)e (By Eq. 1) 

P\Fx] < poly ( N \ X }\ y \ ) (e + £ x + VQ ) (By Claim 5.5) 



Adding the three, we get the required bound. □ 
5.2 Proof of Theorem 1.1 

The main part of the proof proves the impossibility of a semi-honest secure SFE protocol, even using random 
oracles, for a symmetric function / that is undecomposable at the top-level. We shall shortly see that this is 
enough. 

So, suppose / is a 2-party symmetric function that is undecomposable at the top-most level, and II 
is a semi-honest secure protocol using a random oracle O, for the SFE funcionality evaluating /, with 
simulation error uq. This is the setting under which the frontiers in T + are defined, and Claim 5.3 and 
Claim 5.1 hold. The proof follows by a deriving a contradiction from these two claims (instantiated with 
suitable parameters). 

We shall set 9 = min{ 8 ^ o ^||.y^ , 8g'(|^||y|) } wnere the Co an d £' are as in Claim 5.3 and Claim 5.1 (in 
fact, 9 = 9( ryrjyi )> by following the proofs of the various claims), and then choose a small enough (but 
1/ poly(/-t)) value of e so that (eb + ?i) < 8£(N\x\\y\/6) (which is possible since 1/9 is poly(K) and £q and 
E\ are e n W polyd^^^)), so that (for large enough k) 

P[^) + P[Fj}<2(^vo + (o(\X\\y\)o) <\ By Claim 5.3 

P[F X ] < 1 and P[Fy] < 1 By Claim 5.1 

3 3 

So, with non-zero probability, for a random input pair (x, y), the honestly generated transcript passes 
through both F x and F Y , but avoids both events Fx and Fy. Consider one such transcript r. Let u and v 
be the intersection of this path with the frontiers F x and Fy. For this transcript r: v < Apred(n) (since of 
u Fx) and Apred(n) -< u (by definition of Apred), i.e. v -< u. Symmetrically, we also get: u X Bpred(w) 
and Bpred(u) -< v, and hence u -< v. This gives us a contradiction as desired. 

Extending to all 2-party functions. Above we showed that any symmetric 2-party function that is unde- 
composable at the top-level does not have an SFE protocol secure against semi-honest adversaries, in the 
random oracle model. Now we extend this to show that the only 2-party functions for which semi-honest 
secure protocols exist in the random oracle model are those for which (perfectly) semi-honest secure pro- 
tocols exist in the plain model. We do this in two steps, first for symmetric 2-party functions and then for 
general 2-party functions. But first we state a claim that we will need (in the second step). 
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Claim 5.2. If a (not necessarily symmetric) 2-party function fo has a semi-honest secure protocol in the 
random oracle model (resp. plain model), it must be "isomorphic" to a symmetric 2-party function fx that 
has a semi-honest secure protocol in the random oracle model (resp. plain model). 

This is because, by a result in [MOPR1 1], if a 2-party function fo is not isomorphic to a certain symmet- 
ric 2-party function fi (namely, the "common information function of fo mentioned in Footnote 2), then fo 
is complete against semi-honest adversaries. But a complete functionality cannot have a semi-honest secure 
protocol in the plain or random oracle model (as otherwise all functionalities will have semi-honest secure 
protocols in the random oracle model, contradicting the above results.) 

Below are the two steps to complete the proof of Theorem 1.1. 

1 . Firstly, we argue that if a symmetric 2-party function fx has a semi-honest secure protocol in the ran- 
dom oracle model, it must be decomposable (and hence has a perfectly semi-honest secure protocol). 
This is because, if fi is undecomposable, then it has a minor / which is undecomposable at the top- 
level. Further, if fx is semi-honest securely realizable using a random oracle, so is every minor of fx, 
including /, which contradicts our above result. 

2. Next, if a general 2-party function fo has a semi-honest secure protocol in the random oracle model, 
then by Claim 5.2, there is a symmetric 2-party function fx that is isomorphic to fo and has a semi- 
honest secure protocol in the random oracle. By the previous point, fi has a perfectly semi-honest 
secure protocol in the plain model, and as fo is isomorphic to fx, so does fo- 

5.3 Bounding probability of events F x and Fy 

In this section we prove Claim 4.1 (restated below). 

Claim 5.3. There exists a constant cq and a polynomial (q such that, on executing the augmented protocol 
with a random input pair (x, y), P[F X ] and P[Fy\ are both at most cqVq + Co(|<^| \y\) • 8. 

Proof. We shall just show that P\F&\ < p* = (5 + (1 + 5) N )v + \X\\y\9 (so that c = (5 + (1 + 6) N ) 
and (o(a) = a). The bound on P[F Y ] follows similarly. We shall, in fact, show the stronger result that 
P[Fj\x, y] < p*, for all (x, y) eX xy. 

Let S be the set of all complete transcripts such that none of their ancestors lie in F x . First, consider any 
input pair (x, y) G X x y such that /(•, y) is not a constant function; we shall upper-bound the probability 

P[S\x,y] hyp* - 4i/ . 

Let the frontier U (y) be the set of nodes u where, for the first time on a path from the root, P[y|u] < 
6. Let L(y) = {u € S\u -< U(y)} be the part of S which is strictly above U(y). Then PfS'lx,^] < 
P[E%)|:c,i/] + P[L(y)|a;,j/]. Firstly, 

P[u( y )\x,y}= p H x M= E P[x,yHv[u]IP[x,y] = \x\\y\ E p MMpM 

ueU(y) u£U(y) ueU(y) 

<\x\\y\ E P[y\u] P [u)<\x\\y\e E PM<|.*W 

udU{y) ueU(y) 

For nodes v G L(y), we have P[y|n] > 6 for all u ■< v. Recall that v does not have an ancestor in F x . 
So, it must be the case that, for all x, x' G X we have P[u|a;, y] < (1 + 5) N P[v\x' , y\. Since /(•, y) is not a 
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constant function, there exists x' G X such that f(x, y) ^ f(x', y). We can partition the set L(y) into two 
sets: 

1. C(y): Those transcripts v G L(y) whose associated output is f(x,y), i.e. those transcripts which 
provide correct output when the input is (x, y), and 

2. W(y): Those transcripts v G L(y) whose associated output is ^ /(x, y), i.e. those transcript which 
provide wrong output when the input is (x, y). 

Since, the simulation error is at most uq, we can conclude that P[PF(y)|x, y] < vq. Further, observe that 
the output associated with the transcripts in C(y) are incorrect for input (x' , y). Therefore, P[C(y)\x' , y] < 
u . But, P[C(y)\x,y] < (1 + 5) N P[C{y)\x' , y] < (1 + 6) N v . Now, we can claim that the P[L(y)\x, y] < 
(1 + (1 + <J)*V 

Adding these two results, we can conclude that 

P[S\x,y]<p* -Au 

Now, we consider any (x, y) G X x y such that /(•, y) is a constant function. Since / is undecomposable 
at the top-most level, there exists x' G X and y' G y such that f(x',y) = f(x',y') and f(-,y') is not a 
constant function. Thus, by security condition, we can conclude that the final transcript distributions induced 
by (x, y) and (x' , y') have at most 4fo statistical distance. Thus, to complete the proof of the theorem 12 : 

P[S\x,y]<P[S\x',y']+Av Q <p* □ 
5.4 Bounding probability of event F Y -< (F x U F Y ) 

Claim 5.4. On executing the augmented protocol with a random input pair (x, y), P[F Y -^(F x ^ ^y)\ js af 
most (1 + (1 + 5) N )\X\\y\9. The same bound holds for P[F X ~<{F X U F Y )]. 

Proof. Let 5 be the set of nodes v G F Y such that for all u ■< v, u F x U F Y , i.e. v -< (F x U Fy). We shall 
bound P[5|sc, y], for each input pair (a;, y) € X x y. Fix an input pair (x, y). Let f7 (x, y) be the frontier of 
nodes v where for the first time P[a;|u] < 6 or P[y|v] < 0. Let L(x, y) = {u\u G S, and u^U(x, y)} be 
the part of S 1 which is strictly above U(x, y). We shall bound P[£|a;, y] < P[U(x, y)\x, y] + P[L(x, y)\x, y], 
by bounding the two terms separately. 



p[u(x,y)\x,y)= ^2 p l v \ x ^y}= p [ x >y\ v ] * PH/P^y] 

<\x\\y\ min{P[x|v], P(j/H}-P[u] < e\x\\y\ J2 p M<o\x\\y\ 

v&U(x,y) v£U(x,y) 

To bound P[L(x,y)\x,y], we partition L(x,y) into Lx(x,y) C L(x,y), one for each i £ ^ \ {x}, 
such that for u G L$(x,y), v is included in F Y because 3y',y" such that P[u|Bpred(u); x, y'] > (1 + 

12 We note that this bound is not restricted only to the uniform distribution over input pairs. In fact, for any input pair distribution 
such that P[a;, y] is a function of the output f(x, y), P[S] < p* ■ 
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o~)P[w|Bpred(i;); x, y"]. Note that x / x, otherwise v G F Y - By definition of L(x, y), we have v -<( F x U 
Fy U U(x, y) ), i.e. w -< F Y . This implies that: 

P[x\v] < 9 

Observe that for all u < v G L(x, y), we have P[y\u] > 9. But v -< F x . Which implies: 

P{v\x,y] < (1 + 6) N P[v\x,y] 

Now, P[i;|x,y] < P[v \x]/P[y\x] = \y\P[v\x]. So for v G L £ (x,y), 

P[v\x,y] < (l + 6) N \y\P[v\x] = (l + ^I^II^IPtxHPH 
< (l + 5) N \X\\y\9P[v]. 

Hence, P[L(x,y)|x,y] < (1 + S) N \X\ \y\0 EveL(x,y) P[v] < (1 + 5)^1*1 |;y|0. Putting this together with 
the above bound on P[U(x,y)\x,y] we get, for all (x,y), P[S\x,y] < (1 + (1 + 5) N )9\X\\y\. Hence, 
P[S] < (l + (l + 6) N )9\X\\y\. " □ 

5.5 Bounding the probability of event F x 

This section carries out the technical heart of the proof. For convenience we define /i = (1 + 6) , 5' = (1 + 

s)i/a*i-i) _ x and s „ = (1 + ^l/dyi-i) _ i Note that with § = i_ t p = 0(1 ) and j/ j £// = n( JV(| ^ +|y| )) 

(where \X\, \y\ > 1). 

Claim 5.5. J/iere exwf eo, ei = e^ 1 ) poly(/c|AT| \y\), such that the probability of the augmented protocol 
with uniformly random inputs reaching Fx is 



P[g]< 2 "™ 1 + y>W (Vo + ro + 2r 1 ). 

The same bound, with 6" instead of 6', holds for P[Fy]. 

We focus on proving the first part of this claim (the second part being symmetrical). That is, we are in- 
terested in boundingjhe probability that, on executing IT with uniformly random inputs (x, y), the transcript 
reaches a node in Fx = {u\u G F x and $z G F Y s.t. z < Apred(u)}. 

We break the full proof of the claim into three parts: 

1. Part 1. We shall show that there exist Fx C Fx such that P[F^] > PjFx}/(\X\\y\) 2 , and there 
are xq, x\ G X and yo,y\ G y, such that f(x o, yo) = f(xi,yo), and P[Fx|xO) yi] is comparable to 
P[Fx] (with uniformly random inputs (x, y)), and for every u G Fx, yi sufficiently distinguishes xo 
and x\. More precisely, 

P[^|x ,yi]> {l +l )N P[Fx\, (4) 

and for all u G Fx, if w = Apred(u), then P[u|«;; xq, yi] > (1 + 5) 1 / P[u\w; xi,yi], and hence 

6' 

P[u\w;x ,yi] - P[u\w;xi,y 1 ] > P[u\w;x ,yi\. (5) 

l + o 

where 6' = (1 + ^/(l*!-!) _ L 
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2. Part 2. We shall also show that P[5x|^o> where Sx = Fx D Achildren, must be "small" if the 
protocol is secure. (For a node u e Sx, Apred(u) G Anodes.) 

3. Part 3. Then we shall show that P[Rx\xo,yi], where Rx = Fx\Achildren, must be small if the 
protocol is secure. (For a node u G Rx, Apred(u) G Achildren.) 

Since P[Fx|xo, y\] = P[Rx\xo,yi] + P[Sx\xo, Vi], Parts 2 and 3 imply that P[-Fx|xo, yi] is small as 
well. Further, by Part 1, P[-Fx] and, thus, P[i^x] i s small as well. 

The error terms eq an d si appear in Parts 2 and 3 respectively, from Claim 5.6 and Claim 5.7. The 
claims are consequences of the independence properties obtained by Eve of Lemma A. 1 . Below we state the 
former claim (and show how it follows from Lemma A.2 proven in Appendix A), which states that Alice's 
message is almost independent of Bob's input, conditioned on Eve's view thus far. 

Claim 5.6. For all x G X, y, y' G y, ifW C Anodes is such that for all w G W, P[y\w; x], P[y'\w; x] > a 
for a = po iy(|^y||y|) > then, for e < 1/ poly(K|A'||3^|) (for some polynomial) and an error parameter eq = 
e^C 1 ) poly(K|^||3 ; |), we have 

} j P[w\x, y] ■ SD ({chldrn(w)|w; x, y}, {chldrn (w)\w; x, y'}) < Neo, (6) 

where {ch\drn(w)\'w; x, y} and {chldrn(tt;)|w; x, y'} stand for the distribution of the next node after w (i.e., 
Alice's message at w) in T + when Yi is executed with inputs (x, y) and (x, y') respectively. 

Proof. Lemma A.2, stated in terms of a traversal of the tree T + , partitions the nodes at each level in the tree 
into three sets, a low-probability set Wq such that P[Wq|x, y] < e', W{ such that for w G W{, P[y\w;x] < e' 
or P[y'|u;;z] < e' and W\ such that for w G W|, SD ({chldrn(iu)|i(;; x, y}, {chldrn(u;)|w; x, y'}) < e' . 
Note that W[ n W = because (for sufficiently small values of e), e' = poly(/«| X\ \y\) < a. So, 

} j P\w\x, y] ■ SD ({chldrn(u;)|ui; x, y}, {chldrn(w)|u;; x, y'}) 



<E E PHx,y} + J2 E P[w\x,y]e' < Ne' + Ne' < Neo, 



where eo = 2s 1 □ 

We mention a few other technical inequalities that are useful in the proof. 

For u G Fx, if w = Apred(n), then w is strictly above the frontier Fy, and hence 

P[w\x ,y ] > P[w\x ,yi]. (7) 

For any subset W of nodes, 

-2Nv < E P[^l^o,yo] - P[w\x h y Q ] < 2Nv , (8) 

because f(xo, yo) = f(xi,yo) and by the security guarantee of n, restricted to the intersection of W with 
the frontier corresponding to a fixed round number, this summation is at most 2uq (since in the ideal world, 
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the simulated views are identical, and for each execution, the error from the simulated distribution is at most 

It will be useful to relate Ym&V (P[w\xq, yo] E«eS„ d(u, w)) to Y^weW (P[w\xi,yo] J2ues w d(u, «?)), 
where for all w G W, J2u^s w 9{ u i w ) < 1- This arises for us when S w forms part of a frontier, and g(u, to) 
is a probability distribution (possibly conditioned on to) or statistical distance between two probability dis- 
tributions. 

Y P[w\xi,y Q ] Y 9(u,w) 
wew ues w 

= Y PMx ,yo] Y 9(u,w)- Y ( p [w\xo,yo\ - P[w\xi,y ]) Y d(u,w) 
wew ues w wew ues w 

= Y PM^o,yo] Y 9(u,w)±2Nu (ByEq.8.) (9) 

wew ues w 

Here, we applied Eq. 8 to two subsets of W (where (P[to|xo,yo] — P[to|xi, yo]) is positive and negative, 
respectively.) and also used the fact that J2u&s w 9i u : w ) < 1- 

Part 1. We define Fx and (xo, xi,yo,yi). 

For any node u G F x , there exists y* G y and some x,x' G X such that P[u|to; x, y*] > (1 + 
5)P[«|to; x', y*], where to = Apred(-u). W.l.o.g, we consider x which maximizes P[t/|to; x, y*]; we call 
the maximum value a(u, y* ). Since / is not row-decomposable at the top-level, there exist a sequence of 
t + 1 < \X\ values xq, ■ ■ ■ ,xt such that 

• xo = x, xt = x' (and hence P[tt|to; xq, y*) > (1 + <5)P[ti|to; xj, y*]); 

• for every i = 0, • • • , t — 1, there exists yi G y such that f(xi,yi) = /(xj+i, t/j). 

Then, there exists an i such that P[ti|to; Xi, y*] > (l-hT^P^Ito; Xj+i, y*] and P[tt|to; Xi, y*] > P[u|to;xo,y„]/(1+ 
S). We will denote the nodes (xj, Xi+i, yi) by (x u , x' u , y u ). Thus, for every node u G Fj^, there are nodes 
(x u ,x' u ,y u ,yl) such that 

• f{x u ,yu) = f(x' u ,y u ), and 

• P[u\w; x u ,y* u ] > (1 + JjVtp^lu,; x ' u , y* u ] and P[u|to; x„, y* u ] > a(u, y*)/(l + S). 

Suppose that P[Fx] = P\ i- e -» when the protocol is executed with a random input pair (x, y), with 
probability p, the transcript passes through some u G Fx- Since there are at most l^l 2 ^! 2 values for the 
tuples (x u , x' u ,y u ,y*), we can find a tuple (xo, xi, yo, yi) such that the transcript passes through u G Fx 
with (x u ,x' u , y u , y* u ) = (x , xi,y , 2/1 ) with probability at least p' = p/(\X\ 2 \y\ 2 ). We define F x C Fx as 
containing those u with (x u , x„, y u , y*) = (xo, xi, y , yi). Then P[Fy] > p'. 

For to = Apred(u) for u G Fx, to is strictly above F x , and hence P[to|xo, yi] > P[to|yi]/ (1 + J)^ -1 . 
(Since to has a child u, we upper-bound its depth by N — 1.) 
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Also, since for u G Fx we have P[u|uj; xq, y\\ > a(u, yi)/(l + 5) > P[u\w; yi]/(l + 6), we get that 
P[-Pjf|*o,z/i] = E p l w \ x o,yi] XI P[«K&o,yi] 

Apred(«)=«; 

^ ( 1+ ^ E p l w ^l £ P[«k;yi] 

Apred(it)=«j 

* (iT^ P[ ^ l] - 

Finally, note that for it G Fx, P[yiH > and hence 

p [^|yi] = E p [^l^i] = E \y\P[yMP[u] > e\y\P[Fx]. 

u£F x u£F x 



Hence, 



o\y\ 
(i+sy 



P[Fx\x ,m]>7T^hfP[Fx]. 



Part 2. This part is in fact similar to the argument in [MPR09], except that we need to rely on the in- 
dependence guarantee from Claim 5.6 to say that Alice's message is (almost) independent of Bob's input, 
conditioned on the (augmented) transcript so far. We shall show that |P[Sx|£o> 2/0 ] ~ p [Sx\xi,yo]\ is sig- 
nificant if P[Sx|£o; 2/i ] is significant. However, since f(xo,yo) = /(£i,yo)> tne former must be "small", 
and hence the latter too must be small. 

Since Sx is part of a frontier, for all x, y, 

P[S x \x,y] = E p l u \ x ^y}= E PM^y] E P[u\w;x,y}. 

u&Sx weAnodes Mg g^ 

Apred(ii)=u) 

For u G Sx, w = Apred (u) is it's parent, an Alice node which is strictly above F Y . 
P[Sx\x ,y ] = E p [ w \ x o,yo] E p [ u \ w 'i x o,yo] 

Apred (u)=w 

= E P[w\ x o,yo] E P[u\w;x ,yi}± Ne (By Eq. 6.) 

ues x 

Apred (u)=w 



Note that Eq. 6 can be applied above, since the summation is over w strictly above F Y (since w = Apred (u) 
for u G S x ), and for such w, P[y\w; x] > (1+s ) N \ y \ = po iy(|*||y|) - 
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P[S x \xi,y ] = ^2P[w\xi,y ] Y p [ u \ w ^ x i^i)o] 



ues x 

Apred (u)=w 



^2P[w\xx,y ] Y P[u\w;xi,y 1 }±Ne (By Eq. 6.) 



ues x 

Apred(tt)=«; 



J2?[w\xo,yo] P[u\w;xi,y 1 ]±2Nu ±Ne (By Eq. 9.) 



ues x 

Apred (u)=w 



The above expressions for P[5x|5o> Do] an d P["Sx|£l> 2/o]> combined with Eq. 5 and Eq. 7 let us relate 
their difference to P [5x1^0) yi]> as follows. 

P[Sx\x ,yo] - P[Sx\xi,yo] 

>^P[w\x ,yo] Y ( p [ u \ w ^o^h]- p [u\w]x 1 ,yi])-2N(v + e ) 

Apred(u)=w 



> 



> 



( TTv ) X! p M^o,yo] Y P[u\w;xo,yi]-2N(vQ + £o) 

ues x 

Apred(u)=io 

( (1 + 5')(l + 6) N )'^2 P M£o, til] J2 P[u\w;xo,yi]-2N(uo + e ) 



ues x 

Apred (u)=w 

> ( 7, : ; nJV ) p [^l^o, yi] - 2JV(^ + ?o) 



5^ 

(1 + <5')(1 + <5) J 



Part 3. We shall consider an attack when the protocol is run with inputs (xq, yo) or (xi, yo) (which must 
be indistinguishable for security). We shall show that if P[Sx|£o> til] is significant, then the curious Bob's 
output is significantly correlated with Alice's input x (biased more towards when x = xq). This will 
contradict the security of the protocol, since in the ideal world, Bob's input yo cannot distinguish between 
Alice's input being xq or x\. 

The probability that the execution with input (£0,2/0) reaches a node w = Apred (u) for u € Rx is 
significant if this probability is significant in the execution with input (xo,yi), since each such w falls 
above the F Y frontier, and replacing y\ with yo causes only a constant factor change in the probabilities. In 
Figure 4 we describe a curious Bob who can, at such a point, mentally substitute its input yo with y\ and 
simulate the augmented execution (inluding - and this is the non-trivial part - the answers from the oracle) 
till before the next Alice message. The probability that this simulated execution goes through Rx remains 
significant when Alice's input is xo (since the simulated execution will have input (xo, yi)). At the same 
time, the probability of the execution with (xi,yi) hitting each node in Rx differs by a significant factor 
from that when Alice's input is xo (Eq. 5). This will let the curious Bob distinguish between when Alice's 
input is xq and when it is x\, even though Bob's real input is yo, leading to a contradiction. 
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Curious Bob: Learning what Eve learns, with a different input 



Bob is given yo as input, and Alice is given a uniformly 
random element from x <— {xq,xi} as input. Alice 
and Bob execute the protocol honestly, with access to 
a random oracle O. But at the end Bob carries out the 
following computation. 

For every Alice node w in the augmented transcript, 
which is strictly above F Y , Bob carries out an explo- 
ration as follows. He samples a view Vb^^w) for 
himself with input y\ , conditioned on node w (and in 
particular Eve's view Ve{w)). Bob mentally carries 
out the execution with the hypothetical view Vb,^ (w), 
till the next message from Alice (i.e., Eve queries, fol- 
lowed by Bob's own queries and his message in the 
protocol, and then further Eve queries) by simulating 
an oracle O' defined as follows. Below, Vb$ (w) de- 
notes the actual view of Bob in the protocol at that 
point, O is the actual oracle and O" is a freshly sam- 
pled independent random oracle. On query q, 

• if q G QiVs,^ (w)) U Q{Ve{w)), answer ac- 
cording to VB i y 1 (w) or Ve{w)\" 

• else, if q G <2(Vb,£ ( w ))' answer according to 
0"; 

• else, answer according to O. 

Let the set of nodes encountered by Bob during this 
exploration (over explorations from every Alice node 
w) be £? Q where x is Alice's input, and Bob substi- 
tutes yo with yi for exploration. If £ ? Q - j n Rx 7^ 0, 
then Bob outputs 0; else he outputs 1. 



Figure 3: Simulating the oracle answers dur- 
ing exploration. The ovals represent the sets 
of queries in the views Va,x(w), Ve(w), 
VB,y {w) and VB, yi {w). Queries already an- 
swered in Ve{w) (blue) or in the hypotheti- 
cal Bob view Vb :Vi (w) (orange) are answered 
according to these views. Answers to the re- 
maining queries in Q(Vb,$ (w)) (green), are 
freshly sampled, i.e. answered according to 
O" . All other queries are answered using the 
actual random oracle O. When the "safety" 
condition Eq. 10 holds, i.e., the orange and 
green regions (which have "edited" answers) 
do not intersect the gray region, this yields a 
perfect simulation (see Eq. 12). 



"As Vs,gi (w) is conditioned on Ve(w), if q € Q(Vb,§i (if)) n Q(Ve(w)), both views will have the same answer for q. 



Figure 4: Curious Bob strategy to show that P[i?x|^o> Vi] is small. 
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Before we prove this, we define a game and state a sub-claim, which will help us with the analysis (for 
which we will derive yet another game based on this). 

Game G y ' (x, y). An oracle O, and random tapes for Alice and Bob are picked at random. Then, Alice and 
Bob execute the protocol II using oracle O and the chosen random tapes, with inputs x and y respectively; 
at each node w € Achildren in the transcript path, we define Va, x (w), Vb, v {w) and Ve(w) as the views of 
Alice, Bob and Eve respectively. Further, at each such node w that is strictly above the frontier F Y (i.e., 
$z E Fy, z -< w.), we pick a random view for Bob conditioned on w and input y'. Let Vb^'{w) represent 
that Bob view. 

We define the event safe(io) to occur in this game for a node w where V^y (w) is sampled (i.e., child of 
an Alice node that is strictly above F Y ), if 

Q(VaA w )) n (Q(V B , y (w)) U Q(V B , y i(w))) C Q{V E (w)) (10) 

Claim 5.7. Foranyx 6 X, y,y' 6 y, in the game G y (x,y), for an error parameter e% = e^( 1 ) poly(«| X\ \y\), 
we have 

P[w\x,y']P' x [s3fe(w)\w] < Nei (11) 

w 

( where the summation is over w for which safe(iu) is defined: i.e., w € Achildren such that w -< Fy )■ 
Proof. This follows from Lemma A.3. At every level Lj, Lemma A.3 guarantees that J2 weL z P[w A 

' " P[y\w;x]>e' 

safe(W)] < e' for e' = e n ^ poly(K\X\\y\). For w ~< F Y , we have P[y\w; x] > r^my, > e'- Hence the 
sum in the claim is bounded by Ne'. We set £\ = e' . □ 

Two Experiments: G(x) and G'(x). Now, we define two experiments G(x) and G'(x) as follows: 

G(x) (which corresponds to the curious attack above) is the same as G^ 1 (x,yo), but with the following 
addition. At each node w G Achildren above F Y in the transcript path, we carry out an "exploration" of 
Eve's steps and Bob's step till the next message from Alice (Eve, Bob, Eve), using the view sampled for 
y\. This exploration is carried out as defined above for the curious Bob strategy (Figure 4). For simplifying 
notation, we make the following definition. For a node u and w = Apred(u), we define the probability of 
the exploration starting at w visiting u as 

Pa;[«|w] = Pr [u reached in exploration from w\w reached in execution]. 

G(x) 

We also define P x [u] = P[w\x, yo]P x[u\w] to be the probability of the exploration reaching u 6 Rx (not 
conditioned on visiting w = Apred(it)). 

Note that in the right-hand side of the equation, we have P[io|x, yo], i.e. the node w is generated with 
Alice interacting with her input x and Bob with his input yo- After reaching w, Bob samples a new view 
conditioned on his input being y\ and proceed to explore till Alice is supposed to send the next message. 
This part of the probability, i.e. probability of reaching a node u conditioned on reaching w is expressed by 
the term P x [n|tt;]. We point out that P x [n|^] is not necessarily equal to P[u\w, x, yi] since the exploration 
uses a simulated oracle that is simulated without knowing x. (However, as we shall see, it will be closely 
related to the latter.) 
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G'(x) is in fact, the same as G^°(x, y\) (note the reversal of roles for 7/0 and i.e., an execution with 
inputs (x,yi), along with sampling Bob's view for input yo at each node w G Achildren encountered that 
is strictly above Fy. This experiment involves no exploration. Now, for a node u and w = Apred(u), we 
define the probability of the execution visiting u, conditioned on it having visited w, as 

Pifitliol = Pr \u reached in the execution \w reached in executionl. 

G'(a;) 

We also define P' x [u] = P[w\x,yi]P' x [u\w] to be the probability of the execution reaching u (not conditioned 
on visiting w = Apred(u)). Note that in this experiment the only significance of yo is in defining the event 
safe(iu). In particular, there is no exploration phase or switching of inputs, and the execution considered 
for defining the probability P^.[w|w] is simply the same as a faithful execution of the original augmented 
protocol. Thus, P^.[u|u;] = P[u|u>, x, y\\. 

A priori, there is no direct relation between the probability terms P x [n|w] and P^.[n|w]. This is because 
the sampling of the Bob view in G(x) is not correlated with the view of Alice given Eve's view; while, on the 
other hand, Bob's view in G'(x) could possibly be correlated with Alice's view even when Eve view is given. 
But, by additionally conditioning on the event safe(w), these two probabilities are identical. More formally, 
we have the following key observation: 13 For all x, for all u, w such that w = Apred(-u), P x [w, safe(io)] > 
and P' x [w, safe(tu)] > 0, 

P x [u|w, safe(iu)] = P' x [u\w,safe(w)]. (12) 

This is because, given a node w, in either experiment, the set of Alice views, the set of Bob views with 
input yo an d the set of Bob views with input y\ each compatible with the view in w (individually) are 
determined. On conditioning on safe(w), the distribution over triplets of views (one from each of the three 
sets) is the same in both experiments: they correspond to pairs of edges in the "views graph" at w, with 
both edges incident on the same Alice view, and the probability of a pair is (before conditioning) product 
of the probabilities on the two edges (according to distributions obtained by conditioning on yo an d yi), 
and the conditioning removes all those pairs of edges that violate the safety condition; these operations 
(multiplication and safety condition) are symmetric in yo,yi an d hence, both the distributions are the same. 
Now, conditioned on safe(u>), the exploration in G{x) for a triplet of views is identical to the execution in 
G'{x) for the same triplet. 

Assuming that P[i?x|^0) Vi] is significant, we are interested in lower-bounding P Xo [Rx] — P Xl [Rx]- 

For x G {xq, 21}, we have: 



p x [Rx]= 2. p M 

ueR x 



P[w\ x iVo] 2^ P x [u\w] 

Apred(u)=uj 



Note that the last summation will be over w G Achildren that are strictly above F Y , since we consider only 
those w for which there exists some u G Rx with Apred(u) = w. 



13 We shall use this claim for w strictly above Fy- It can be seen that if only one of P x [w , safe(w)] and P' x [w, safe(w)] is 
positive, then by the convention in Footnote 10, the node w cannot be strictly above F Y - Hence the claim will be applicable. 
Alternately, similar to the normal form for protocols mentioned in Footnote 10, we can assume w.l.o.g that for all w G Achildren, 
P:r[w, safe(w)] > and P' x [w,safe(w)] > 0, so that the claim holds for all w. 
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Fix a node w and consider u € Rx such that Apred(u) = w. Then, (using the convention in Footnote 10), 



P x .[ii|ui] = P x [u, safe(w)\w] + P x [u, saf e(w)\w] 



P x [u\w , safe(w)]P x [safe(w)\w] + P x [u, safe(w)\w] 



P x [u\w , safe(w)] — P x [u\w, safe(w)]P x [safe(w)\w] + P x [u, saf e(w)\w] 
P x [u\w, safe(w)] + (P x [u\w, safe(w)] — P x [u\w, safe(w)])P x [safe(w)\w] 



ThesumsV „ ,, , P x \u\w, safe(w)]P x \safe(w)\w] and V . _,. , P x \u\w , safe(w)}P x \safe(w)\w] 

^iteHx,Apred(u)=u) ^ueR x ,Apred(u)=u> 



are both bounded by P x [safe(u;)|?x)]. Thus we can write 

p x [Rx\ = J2 vo] E p*[«m) 



ueR x , 

Apred(u)=u> 



= ^ ( P[w|x,y ] E Pa-[u|w,safe(u;)] j ±^P[w|x,y ]Px[safe(w)|w] 

u£K x , 
Apred(u)=w 

= WpM^,yo] E P*M™,safe(™)]) ±JVei (13) 

u£K x , 
Apred(u)=w 

where the last step follows by Claim 5.7. Note that P^[i?x] = P[-Rx|^, Vil- 
la our derivation below, we shall rely on conditioning the experiments G(x) and G'(x) on the event 
safe(-). To facilitate our arguments we relate certain probabilities when conditioned on safe(-) and other- 
wise. 

Claim 5.8. The following two inequalities hold: 

£PMx ,yi] E Pa>h,safeH] = (^P[tc|i ,yi] E p U*W)±tfei (14) 

ueRx, ueRx, 

Apred(ti)=iu Apred(u)=ui 

£PM£ ,yi] E p kN^ 5 safeH] = (E p M£o,yi] E p *>m) ± (i + ^(^1 + 2^0). 

ueRx, ueRx, 

Apred(u)=w Apred(u)=ui 

(15) 



Proof. Firstly, 



E p x[u\w, safe(iy)] = ( E ^faMy ± P x[ safe HM (16) 



ueRx, ueR x 
Apred(u)=u> Apred(«)=ui 
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We get Eq. 14 as follows: 



Apred(u)=u> 



(j2P[w\xo,yi] E P U«m) ± (E P M*0'fc]PU Mfe («OH) ByEq. 16. 

ueRx, 
Apred(u)=ui 

(j^PM^yi] E P«o[«h)±^i ByEq. 11. 



Apred(u)=ui 



To prove Eq. 15, first we note the following: 
£PMx ,y ]Pk[safeMM < E P M^i, yo]Py^feHM + 2iVz/ o By Eq. 9. 

< JVej. + 2iYzv By Eq. 11. (17) 



J2P[w\x ,yi]P' £l [safe(w)\w} < (1 + 5) N E P[H*o, Vo]P' £l {safe(w)\w} 

u> w 

<(l + 5) N (Ne 1 + 2Nv ) ByEq. 17. (18) 

Hence, we conclude 
E P M£o,yi] E P^KsafeO 



ueR x , 

Apred(u)=u> 



52(P[w\x 0) yi] E PaJulH) ±E P ^l £ o,yi]Pk[ safe HIH By Eq. 16. 

ueRx, 

Apred(u)=u> 

EPkl^o,yi]( E p *iNH)± (1 + ^(iVex + 2^) ByEq. 18.D 



uei?x, 

Apred(u)=ui 



To lower bound P$ [Rx] — P^ [-Rx] we proceed as follows: 
>E P[^l £ o,yo]( E P*,[«N,safeH] 

Apred(u)=u> 
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PH^i,j/o]f E P± 1 [u\w,safe(w)]\ 



ueRx, 
Apred(u)=«! 



2iVei 



E 



P[w\x ,y }(^ P 4 [ u l«' J safe (« ; )]J 



ueRx, 
Apred(u)=w 



P[w\xi,y ][ P' £l [u\w,safe(w) 



• ueR x , 

Apred(u)=w 



2Nei 



Apred(ji)=«j 



> 



E 



2iV(^, + gi) 

/ P[w\x ,yi] 
{ (1 + S) 



N 



E P'x [u\w,sate(w)} - safte(w)] 



ueRx, 

Apred(ti)=ui 



2iV(i/ + £i) 



^ /P[«7|s ,yi] / D , r | ! n/ r I 1 

^ E ( (iq^p E ( p *o M ^1 - p ii [«M 



2iV(^ + £i) 



ueRx, 

Apred(u)=w 



+ 



(2iYz/ + A^ei) 



E E fp[«K£o,£i] - P[«K»i,^] 

ueRx, 
Apred(u)=w 

- 2N(v + gi) - ^ - (2A% + JNTei) 



> 



E 



6 f 



> 



P[w|f , j/i] 

(1 + 5)* ^ Vi + ,5' 

Apred(«)=«j 
5' 

w P[R x \x , yx] - 4N(v + gi) 



(1 + $')(! + *) 



By Eq. 13. 



By Eq. 12 (and Footnote 13). 



^ E ^ p [^l^o,yo] E ^ p y«K safe (™)] - P £iM w ' safe W]^ 



By Eq. 9. 



By Eq. 7. 



By Eq. 14andEq. 15. 



By definition of P^,[«|u;]. 

By Eq. 5. 



Putting things Together Let us define fi = (1 + 5) N and recall that 6' = (1 + ^Vd^l-i) - 1. From Part 
2 and 3, we obtain a lower-bound on the distinguishing advantage obtained in terms of P[<Sjf|£oi yi] anc ^ 
P[i?x|^0j Vi]- We can assume that this advantages are ps and pn respectively. But we know that simulation 
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error is vq, so ps + Pr < 2i/q- Thus, we obtain the following bounds: 



P[Sx\x , Hi] < (1 (PS + 2iV(z/ + e )) 

P[^|£o,yi] < (pfl + 4iV(^o + gi)) 



Finally, we can obtain a bound on the overall bad event P[i*V]: 
P[Fx] < \X\ 2 \y\ 2 P[F^) 




(P[Sx\x ,yi] + P[Rx\xo,yi]) 



2p 2 \X\ 2 \y\(l + 5')N fA 



This completes the proof of Claim 5.5, and in turn that of Claim 5.1. As discussed in Section 5.2, this 
(combined with Claim 5.3), is used to prove Theorem 1.1. 

6 Beyond Semi-Honest Security 

In this section we prove Theorem 1.2, which tells us that in the context of building 2-party SFE proto- 
cols secure against active adversaries, a random oracle is only useful as a means for securely realizing the 
commitment functionality, denoted by J-~com- This holds true for both UC and standalone security. 

Theorem 1.2 (Restated.) For a deterministic finite 2-party function f, the following statements are equiv- 
alent: 

1. f has a statistically UC- secure SFE protocol in the random oracle model. 

2. f has a statistically standalone-secure SFE protocol in the random oracle model. 

3. f has a statistically UC-secure SFE protocol in the J- C0M -hybrid model. 

4. f has a statistically standalone-secure SFE protocol in the J- C0 M-hybrid model. 

Proof. Clearly, (1) =>- (2) and (3) (4). That (3) => (1) and (4) (2) follow from the fact that in the 
random oracle model, we can UC-securely implement the -Fcom functionality. (This implication holds not 
only for deterministic SFE, but also for reactive or randomized functionalities as well.) 

To complete the proof we shall show that (2) =>■ (3). So suppose / has a standalone secure protocol 
using a random oracle. Let /' be a redundancy free function obtained by removing redundant inputs one by 
one from / (see Footnote 4). Then, it is enough to show (2') => (3 ; ) where (2') and (3') are identical to 
(2) and (3), but with / replaced by /' (because, (2) ^ (2') and (3) ^ (3 ; ) [MPR10, KM 11]). Now, if /' 
has a standalone secure protocol in the J^oM-hybrid model, then the same protocol is semi-honest secure 
as well. Further, by replacing -Fcom by a trivial protocol for commitment with semi-honest security, we 
obtain a semi-honest secure protocol for /' in the plain model. Then, by Claim 5.2, /' must be isomorphic 
to a symmetric function /" which has a semi-honest secure protocol in the plain model. That is /" must 
be decomposable. Then, by a result in [MPR09], /" has a UC secure protocol in the J^oM-hybrid model. 
Since /" is isomorphic to /', the latter also has UC secure protocol in the /"coM-hybrid model, proving (3') 
as desired. □ 
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7 Black-Box Separations 



The random oracle model is of interest not only as an abstract theoretical framework, but also because it 
models a (strong) one-way function. Thus, informally, the impossibility results in the random oracle model 
translate to impossibility of constructions that rely on a one-way function as its sole computational primitive. 
This intuition can be formalized as black-box separation results, following [IR89, RTV04]. 

For our black-box separation results, we shall follow the definitions as introduced by [RTV04] with mi- 
nor modifications. Following [RTV04] , we consider primitives to be specified as pairs of the form (Fq , Rq ) . 
The set Fq is a set of functions that are candidate implementations of primitive Q. For example, for the one- 
way function primitive (represented by OWF) the set Fqwf consists of all functions defined over {0, 1}*. 
The set Rq is a set of pairs (Q, M), where Q is a candidate implementation of Q and M is an adversary 
which breaks the security of Q. (Sometimes we shall abuse the notation and write (II, M) G Rq if n im- 
plements a function Q such that (Q, M) G Rq-) Continuing our example of OWF, (Q, M) would consist 
of one-way functions Q where the inverter M inverts non-negligible fraction of outputs of Q. 

Next, we recall the definition of fully black-box reductions (or as presented below, fully black-box 
constructions) as introduced in [RTV04]. Below, we say that a (possibly non-uniform) algorithm is efficient 
if it is probabilistic polynomial time (PPT). 

Definition 7.1 (Fully Black-box Constructions). A fully black-box construction of a primitive V from an- 
other primitive Q consists of a pair of efficient oracle algorithms (II, S), such that the following two condi- 
tions hold: 

1. Correct Implementation: For any Q G Fq, implements a function P G Fp. 

2. Security: For any Q G Fq and any (possibly inefficient) adversary A that breaks the security of 
11^, the reduction S®' A breaks the security of Q as an implementation of Q. That is, \/A, \/Q G Fq, 
(n<3, A) G R-p =^ (Q, S®' A ) G Rq. 

We emphasize that the construction II and the reduction S are efficient. 

Constructions that Preserve the Security Parameter. As is standard in cryptographic constructions, we 
shall associate a security parameter with primitives and state security condition in terms of it. Formally, we 
shall consider that any primitive V, the input to any P G F-p has a security parameter encoded as part of its 
inputs. We prove our separation results with a technical restriction on blackbox constructions, namely that 
the constructions respect the security parameter: that is, in a black-box construction of V from Q, when the 
implementation IT^, for Q G Fq, is given an input with security parameter k, it always invokes Q with the 
same security parameter k. However, there is no such restriction on the security reduction S. 

For Q G Fq, we denote by Qi the restriction of Q to inputs which have security parameter i. We 
will often identify Q with the infinite tuple (Q\, Q2, ■ ■ ■)■ For a security parameter respecting construction 
(IT, S), when invoked with security parameter k, 11^ will access only Q K . There is no such restriction of 
the security reduction S. When invoked with security parameter k, S®' A (for an adversary A attacking II) 
is expected to invert points in the range of Q K . To perform this inversion, S®' A is permitted access Q K /, for 
all values of n' G N (including k! 7^ k), and in particular can invoke II^ and A® with different security 
parameters k! . 

This restriction is not as limiting as it may appear at first, since we can define primitives like one-way 
function to allow access to a range of input lengths for a single value of the security parameter. (See the 
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definition of OWF^ below.) 

Below we define the various primitives used to formalize our results. The primitives are formally speci- 
fied by the F and R sets as mentioned above. We shall specify the functions in F separately for each value 
of the security parameter. We consider the machines M in all the definitions below as non-uniform machines 
(with non-uniform advice for each security parameter); however, one could relax the security definition of 
any of the primitives to consider only uniform M, and by requiring the fully black-box construction to also 
be uniform, our results hold unchanged. 

One- Way Function Primitive OWF. First, for simplicity, we consider a one-way function primitive OWF 
which considers the security parameter as the input length itself. 14 

• -Fowf consists of all functions from {0, 1}* to {0, 1}*, and the security parameter is the length of the 
input. 

• (Q, M) G i?owF if there is a non-negligible function 5 such that for infinitely many k E N, 

Pr[Q(M(y)) = y : x 4- {0, y = Q(x)] > 5(k). 

Primitive for Semi-honest Secure SFE Protocol. For a 2-party function /: X x y — > Za x Zb, we 

define the primitive SFEj corresponding to a semi-honest secure protocol for evaluating /. For simplicity, 
we consider the domain and range of / itself to be finite and fixed (independent of the security parameter). 15 
A protocol II will be identified with the next message function of the protocol. One of its inputs is the 
security parameter k. 

• n G FsFE f if the protocol defined by II is "correct", i.e. for all (x, y) 6 Xxy, the pair of outputs from 
Alice and Bob when they execute II with security parameter k and inputs {x, y), is (a, b) = f(x, y) 
except with probability negligible in k. 

• An adversary Adv breaks II, i.e. (II, Adv) £ RsFE f if there exists (x, x' , y, y') such that 

1. f( x ,y) = f(x,y') and | Pr[Adv(V^ (x ' y) ) = 1] - Pr[Adv(V^ (:!;y) ) = 1]| > $(«), or 

2. f( x ,y) = f(x',y) and | Pr[Adv(V^ (:r ' y) ) = 1] - Pr[Adv(y" (a; ' y ) = 1]| > $(«), 

where V^ x ' y ^ and stand for Alice's and Bob's views after executing II with inputs (x, y) and 

the advantage 8{n) is non-negligible in k. 

Note that we used a game-based definition of semi-honest security. This is in general weaker than the stan- 
dard simulation based definition of semi-honest security (unless simulation with unbounded computational 
power is considered, in which case they are identical). Since we are ruling out blackbox constructions of 
SFEj, using a weaker definition of security for SFEj makes our result only stronger. 

One- Way Function Primitive OWF^. Since we consider only security-parameter preserving construc- 
tions, a construction using the primitive OWF above can access the one-way function on inputs of length 
exactly equal to the security-parameter. This limits the implications of a separation result, as it leaves open 
the possibility that a construction that uses a one-way function on more than one input length could be se- 
cure. To rule out this possibility as well, we consider a more elaborate primitive and rule out fully black-box 

14 This is the same one-way function primitive as considered in [RTV04]. However, in the case of security parameter preserving 
constructions, this primitive prevents the construction from using the one-way function with any other input length other than the 
security parameter. Later we remove this restriction by considering the primitives OWF^ defined below. 

One could consider / to have infinite domains and range, and define restrictions of /, f K : X K x y K — > Za,k x Zb,k, 
where X\ C X2 C • • • X etc., with efficient representations for the subdomains and subrange. Our results hold as long as 
I Af K ], \y K \ < poly(/i). We omit such a formalization for the sake of simplicity. 
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construction of SFEj from this primitive as well. Formally, we define a primitive OWF^ for each polynomial 
C as follows. 

For any function g : {0, 1}* — > {0, 1}*, let be defined as follows: <t(k, x) = g(x) if \x\ < ((k) and 
g£(n, x) = otherwise. Let w£ = {g^(i, -)\g : {0, 1}* {0, 1}*}. 

• Fo\nf ( = Wf x Wf x • • • . That is, for Q G i*bwF c , Q = (Ql, Qz, ■ ■ ■ ), the function Q K is of the 
form g^(n, •) for some function g. 

• (Q, M) G Rq\nv c if there is a non-negligible function 5 such that for infinitely many k 6 N, 

Pr[Q(«, M(«, y)) = y : x 4- {0, l} 1 U • • • U {0, y = Q(«, x)] > 

Theorem 7.2. For a deterministic two-party function f, SFEj (semi-honest secure protocol for f) the fol- 
lowing statements are equivalent: 

(1) / has a perfectly semi-honest secure protocol (in the plain model). 

(2) SFEj has a security-parameter preserving fully black-box construction from OWF. 

(3) SFEj has a security-parameter preserving fully black-box construction from OWF^, for some poly- 
nomial Q. 

We prove this theorem in Appendix C. 

8 Open Problems and Future Work 

We have shown a black-box separation between one-way functions and semi-honest SFE protocols for 2- 
party secure function evaluation for any function which does not have already have a semi-honest SFE 
protocol in the plain model. Intuitively, this introduces new worlds between "minicrypt" and "cryptoma- 
nia" [Imp95], corresponding to where these functions have semi-honest SFE protocols. There are several 
interesting questions that this gives rise to. We mention a few directions below. 

1. Our result relies on the combinatorial characterization of undecomposable function evaluations. In 
particular, our strategy is not able to "compile out" the random oracle completely in the context of 2-party 
deterministic semi-honest function evaluation, i.e., we are not able to rule out that access to a random oracle 
could enable secure computation (of say, a randomized functionality) that cannot be achieved by a protocol 
in the plain model. Understanding the precise power of random oracles in the context of secure computation 
in its full generality (especially, for randomized functions) remains open. 

2. The separation of OT from one-way functions (implicit) in [IR89] was strengthened to separate OT 
from public-key encryption in [GKM+00]. In on going work, we give a similar strengthening of our results, 
separating every function which does not have a semi-honest SFE protocol in the plain model (undecom- 
posable functions, among symmetric functions) from public-key encryption. This, in particular, would give 
an alternate proof for the result in [GKM + 00]. 

3. In this work we do not show that (semi-honest) SFE for the various functions we separate from one- 
way functions really correspond to new worlds in Impagliazzo's universe. In particular, we do not separate 
them from the "OT protocol" primitive. Indeed, one could hope to prove our current results by simply 
showing that SFE for all the functions we considered can, in a fully black-box manner, yield an OT protocol. 
But we conjecture that such a construction simply does not exist. We leave it open to fully understand the 
relationship between the worlds corresponding to (semi-honest) SFE protocols for the different functions, 
and in particular, find out if there is an infinite hierarchy of such distinct worlds. 
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A Independence Learners 



A.l Some Notations 

Before, we proceed, we introduce some notations used in this section. 
A. 1.1 Random Variables. 

We use bold letters to emphasize the nature of a random variable (e.g., x). By Supp(x) we denote {x \ 
Pr[x = x] > 0}. By a; 4- x we mean that x is sampled according to the distribution of the random variable 
x. We usually use the same letter to denote a sample from a random variable. When we say an event occurs 
with negligible probability denoted by negl(ft), we mean it occurs with probability k - ^ 1 ). We call two 
random variables x, y (or their corresponding distributions) e-close if their statistical distance, defined as 
SD(x,y) = \ ■ EseSupp(x)uSup P (y) |Pr[x = s] - Pr[y = s] \ is at most e. By x e y we denote that the 
random variables x and y are distributed identically. 

By (xi , X2 , . . . ) we denote a (perhaps infinite) sequence of correlated random variables where Xj is 
the random variable of the i th coordinate. For correlated random variables (x, y), by (x x y) we refer 
to a new random variable that samples independent copies for x and y (i.e., sample two pairs (xi,yi) 
(x, y), (x2, IJ2) ^— (x, y) and output (xi, 2/2))- For correlated random variables (x, y) and y G Supp(y) by 
(x I y = y) we denote the random variable x conditioned on y = y. When it is clear from the context we 
simply write (x | y) instead of (x | y = y). 

A. 1.2 Two Party Protocols 

In the proofs in this section, we mostly analyze the protocols by rounds rather than frontiers. Hence it will be 
convenient to introduce notation involving round numbers (rather than nodes in the transcript tree). Below 
we describe notation associated with Alice; similar notation is associated with Bob as well. 

1. ji = /X2, . . . ) denotes the transcript generated during the interaction where the i th message is sent 
by Alice, if i is odd, and it is sent by Bob, if i is even. By //W we denote (fi±, . . . , /Zj). 

(i) 

2. Let Pa denote the set of oracle query-answer pairs obtained by Alice from the oracle. By P A ' we de- 
note the set of query-answers obtained by Alice before //W is sent. Qa and Qy are defined similarly 

(i) 

to Pa and Py while only containing the queries. Namely, using the query-operator Q defined earlier 
it, holds that Q A = Q{P A ) and Q$ = Q{P A i] ). 

3. Va denotes the view of Alice which is equal to (x, va, Pa, h), where ta denotes the private random- 
tape of Alice. By Vjp we denote the view of Alice till the message //W i s sent which is equal to 

{x,r A ,Pf,^-V) 

A Public Query Strategy. For a 2-party protocol II in the O model, we define a public query strategy Eve 
as a deterministic algorithm which takes as input a prefix //W of the messages of an execution of II and a 
set P^ 1] of query-answer pairs from O (standing for the queries that she has asked previously), and then 
adaptively queries O multiple times. The view of Eve, denoted by Ve, is equal to (/x, Pg). We also define 
y(H-i) _ (p^ +1 ) 5 ^W) as the view of Eve before /ij+i is sent. 
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We define the query complexity of a public query strategy Eve for a protocol II to be the maximum 
number of queries Eve makes to O over an entire augmented execution of II and Eve. 

A Round. For an odd i, the i th round starts right after the (i — l) st message is received by Alice and starts 
asking its oracle queries (which are contained in Q^). When Alice sends jitj the i th round continues when 

(i) 

Eve asks its oracle queries (contained in P E ). This round ends when Eve is done with asking her oracle 
queries. For an even i, the definition of the i th round is similar (switching between Alice and Bob). 

A.2 Independence Learner 

The following lemma was implicit in the work of [BM09] and was proved explicitly in [DLMM11] (here, 
for simplicity, we use this lemma with more relaxed parameters). 

Lemma A.l (Independence Learner for Protocols with No Input [BM09, DLMM1 1]). Let U be an N -round 
input-less randomized two-party protocol using a random oracle O, with m query complexity. Then, for any 
threshold < £ < 1, IT has a public query strategy Eve (who only observes the public messages) with query 
complexity poly(m/e), such that with probability at least 1 — e over the choice of the view of Eve: Ve<—Ve 
the following holds. (Recall that Ve = {Pe, A*) and V E is the part of Ve that corresponds to the first i 
rounds). 

1. (1 — e) -Independence: For every i E [N] the following distributions are e-close: 

((V? | V#>) x (V« I V®)) and ((V« V«) | V#>) . 

(ft 

Namely, if we sample the views of Alice and Bob jointly conditioned on V E , this joint distribution is 
e-close to the product distribution in which Alice and Bob 's views are sampled independently ( each 

(i) 

conditioned on the same V E ). 

2. e-Lightness: For every q g" Q { E ] (where Q { E ] = Q{V E i] )) it holds that 

P v?Avf\v^ [qeQ{V A )] ~ eand P v^f\v^ qeQ ^ ))] ^ £ 
A.3 Using the Independence Learner 

The Independence Learner of Lemma A. 1 is not directly useful in our context. We need two additional 
technical properties ensured by the independence learner which are mentioned below. 

The first lemma formalizes the intuition that a curious eavesdropper when run with appropriate parame- 
ters can ensure that whenever Alice sends a message in the protocol she can only add information about her 
input and not Bob's input. 

Lemma A.2 (Independence Learner for Likely Inputs). Let II be a secure protocol for some secure function 
evaluation relative to a random oracle O and Alice asks m queries to the random oracle. Suppose X and 
y are, respectively, the set of inputs for Alice and Bob. We run Eve with input parameter e < 1 over H 
assuming that II is run with x <— X and y ^ y. Let x G X and y,y 6 ]^ be fixed inputs. Then for some 
£ i _ £ n(i)^ m . |^|)0(i)^ if we run f ne protocol II with inputs x and y together the curious eavesdropper 
Eve, for every even i G [N] (i.e., Bob sends m), with probability at least 1 — e' over the choice of the view 

(i) $ (i) 

of Eve V E *V E at least one of the following holds: 
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1. P[y | V$,x] < e', 

2. P[y> | V$\x] <e',or 

3. SD((/x m | V^,x, V ),{ii^ x | Vg\x,y')) < e' . 

The second lemma is slightly more technical. The curious eavesdropper of Lemma A. 1 ensures that all 
intersection queries are covered with high probability when Alice and Bob execute the protocol with actual 
inputs x and y. We need a stronger version of this result. We want to claim that even if Bob pretends to 
change his input to y' and samples a corresponding local view, the intersection queries of this "hypothetical 
view" are also covered by the actual Eve view with high probability. This ensures that we can sample a 
consistent random oracle even without the knowledge of actual Alice input x while simulating the hypothet- 
ical view. Looking ahead, this lemma shall be useful when Bob launches a curious attack by changing his 
private input appropriately. 

Lemma A.3 (Bounding Collisions of Queries for Likely Inputs). Let Ube a secure protocol for some secure 
function evaluation relative to a random oracle O in which Alice asks m queries to the random oracle. 
Suppose X and y are, respectively, the set of inputs for Alice and Bob. We run Eve with input parameter 
e < 1 over II assuming that II is run with x <— X and y <— y. Let x G X, y, y' £ y be some fixed inputs. 
Suppose we perform the following samplings: 

(V^,Q ( S,Q ( 1 +1) ) ± (V^Q^Q^ | x,y) andQf 4- (Q« | v£>,/W). 
In the second sampling: the protocol is executed with inputs x, y and Alice's message Hi+i is generated, 

(i) 

and after that we sample a view of Bob for the first i rounds conditioned on Vg , m+i and Bob 's input being 
y'. Then for some e' = e^ 1 ) (m • \X\ ■ \y\)°^ with probability at least 1 — e' it holds that either 

1. P[y> | V$\x] <e',or 

2. QS +1) n (gg u gf ) c q(v£>). 

Before proving Lemma A.2 and Lemma A.3 we need to develop some general tools of probability. 
A.4 General Useful Lemmas 

A corollary to Lemma 2.1 is that the actual inputs of Alice and Bob will not become "unlikely" conditioned 
on Eve's view, except with small probability. 

Corollary A.4. Suppose Alice and Bob run a two party protocol with inputs x, y chosen from an arbitrary 
distribution and suppose Eve is some public query strategy. Then the probability that at some point during 
the protocol it holds that P[(x,y)\u] < 9 where u is the view of Eve so far, is at most 6/P[(x,y)} (if the 
inputs are chosen uniformly at random from the sets X, y, this probability is at most 9\X\ \X\). 

Proof. Corollary A.4 follows by a direct application of Lemma 2. 1 by using the event X corresponds to 
the case that (x, y) are the inputs, and the sequence of random variables (mi, rri2, . . . ) corresponds to the 
sequence of the bits representing the view of Eve. □ 
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The following lemma states that if two random variables a, b are statistically close, they will "remain 
close" even if we condition on a "likely event" defined over their supports. 

Lemma A.5. Let a, b be two random variables such that SD(a, b) < e. Suppose E C Supp(a) U Supp(b) 
be an event such that P[a G E] > 5 > and P[b G E] > 0. Define ag = (a | E) and b# = (b | E). 
Then, SD(a£,b£) < 

Proof. First, we prove a weaker bound of 3e/25 and then will sharpen the analysis to obtain the optimal 
bound oie/5. 

Let a = P[a G E] and /3 = P[b G £]. Recall, we are guaranteed that a > <5 > and j3 > 0. 
Moreover, J2seE |P[ a = s ] ~ P[b = s]| < 2e and \a — /3\ < e, because SD(a, b) < e. Observe that 
P[a£ = s] = P[a = s]/a and P[bg = s] = P[b = s]//3, for seE. Therefore, we can perform the 
following simplification: 

1 ^ p[ a = s] P[b = s] 



SD(a B ,b s ) 



< 



< 



E 

1 

2 



/3 



E 



2e 
2c\ 
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|a-/3| 
2a 



b = s] 








)• 




a 




3e 




3e 


< — 


< 
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P[b 
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With a more careful case analysis, the upper bound can be improved to e/S (which is tight). Consider 
these two cases: 

1. Case a> j3: We shall partition the set E into three sets E\, E 2 and E$ as follows: 

E x = {s\s G E, P[a = s]/a > P[b = s]//3} 

£ 2 = { s \s G £, P[a = s]> P[b = s] but P[a = s]/a < P[b = s]/(3} 
E 3 = {s\s G E, P[a = s] < P[b = a]} 

Let Ui = P[a G and «j = P[b G where z G {1,2,3}. We shall use the following constraints: 
t>2 < U2, t>3 < us + e and v\ > u\ — e. Now, consider the following manipulation: 



SD(a £ ,b £ ) = -£ 



seE 



P[a = sl b = s 
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V 1 + U2 + V3 

Vl 

Vl + U 2 + U 3 + £ 
Ml — £ 
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< - 
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(•." v 2 < u 2 ) 

('.' ^3 < -"3 + e) 
(v vi > m - e) 
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2. Case a < (3: We shall partition the set E into three sets E\, E<i and £3 as follows: 



Ei = {s\s G E, P[a = s]> P[b = a]} 

E 2 = {s\s G £, P[a = s]< P[b = s] but P[a = s]/a > P[b = s]//3} 
£ 3 = { s |s G P[a = s]/a < P[b = s]//3} 

Let Uj = P[a G Ej\ and = P[b G £y, where z G {1,2,3}. We shall use the following constraints: 
V2 > U2, V3 < U3 + e and v± > u\ — e. Now, consider the following manipulation: 



1 



SD(a £ ,b £ ) = -^ 



s£E 



Pra- 



tt 



/3 



' a p) \a 0J 'a /3 / 



V3 



^3 

vi + v 2 + v 3 a 

^3 ^3 

vi + n 2 + v 3 a 

^3 + £ 

Ul + n 2 + U 3 + £ 
U 3 + £ U3 

a 



U3 
a 



U1 + U2+ u 3 

£ £ 

a ~ 5 



(■: v 2 > u 2 ) 

('.' ^3 < ""3 + e) 
('.' vi>m- e) 



This completes the proof that SD(a£,bg;) < e/6. Equality holds if and only if, {s|P[a = s] / P[b = 
s}} C £and P[a G E] = 5. □ 

The following lemma states that if two random are close to being independent iff they are close to the 
product of their marginal distribution. 

Lemma A.6. Let (a, b) be jointly distributed random variables such that SD((a, b), (u x v)) < e/or some 
random variables u and v. Then it holds that SD((a, b), (a x b)) < 3e. 

Proof. SD((a, b), (u x v)) < e implies that SD(a, u) < e and SD(b, v) < e. Therefore, by two applica- 
tions of triangle inequality it holds that: SD((a, b), (a x b)) < SD((a, b), (u x v)) + SD((u x v), (a x 
v)) + SD((a x v),(a x b)) < 3e. □ 



The following lemma states that whenever two random variables (a, b) are close to being independent, 
then they will remain so, even if we sample a conditioned on some partial leakage c as a function of b. 

Lemma A.7. Let (a, b) be jointly distributed random variables such that SD((a, b), (a x b)) < e. Suppose 
c = f(b) is a possibly randomized function ofb, where the random tape for /(■) is chosen uniformly and 
independently at random. Given a sample for (b, f(b) = c), let a' be another random variable sampled 
from the distribution (a | c). Then it holds that SD((b, a'), (b x a)) < e. 
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Proof. Suppose /(&; r) is the deterministic function where r is the random tape used to evaluate the ran- 
domized function /. This case reduces to the deterministic case as follows: 

SD((b,a'),(b x a)) < SD((b, a', r), (b x a x r)) = SD(((b x r),a'),((b x r) x a)) 

Henceforth, we can assume, without loss of generality, that / is a deterministic function. In this case: 

2SD((b, a'), (b x a)) = £ £ P[b = b] ■ |P[a = a\c = f(b)] - P[a = a}\ 

a b 

= EE E P[b = 6]-|P[a = a|c]-P[a = a]| 

= EE p [ c = c ]-i p [ a = «i c ]- p [ a = a ]i 

a c 

= E E i p t a = a ' c = c ] - p i a = «] p [ c = c ]i 

a c 

= EE E (P[a = a,b = 6]-P[a = o]P[b = 6]) 

^EE E |P[a = a,b = 6]-P[a = a]P[b = 6]| 

a c bef- 1 ^) 

= 2SD((b,a),(b x a)). □ 



A.5 Proving Lemma A.2 and Lemma A.3 

We shall prove both Lemma A.2 and Lemma A.3 both using the following intermediate lemma. 

Lemma A.8. Suppose V$ is the view of Eve by the end of the i th round with respect to the two party 
protocol in which the inputs are chosen at random and is such that the (1 — e) -Independence and e-Lightness 



properties hold conditioned on Vg . Suppose x £ X ,y € y are such that P[x, y \ V^'] > 7 and m is the 
total number Alice's queries. Then both of the following hold: 

1. P[Q5 +1) nQ« £Q« I V®,x,v\<0(me/i). 

2. The following two are 0(me/y)-close: 

(V2 +1) ,V« I V®,x,y) and{{^ +l) \ V®,x) x (V« | V®,y)). 

Before proving Lemma A.8 we shall see how it can be used to prove Lemma A.2 and Lemma A.3. 
A.5.1 Proof of Lemma A.2 

For simplicity, we shall use another parameter < a < 1 and prove the following result: With probability 

(i) $ (i) 

at least 1 — e — a\X\ over the choice of the Eve view Vg 4— Y E at least one of the following holds: 

1. P[y I vjp,x] < a, 

2. P[y' I V%\x]<<T,ot 



(Oi 
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3. SD((/Xj + i | Vg i , x, y), (fH+i | Vg , x, y')) < 0(me/a 2 ) where m is the number of oracle queries 
asked by Alice during the protocol. 

Then Lemma A.2 follows by setting e = cr 3 and taking e' = max(cr, e + a\X\, me /a 2 ) in the above 
mentioned statement. 

By Lemma A.l, with probability at least 1 — e over the choice of Vg , the (1 — e) -Independence and 
e-Lightness properties both hold. Corollary A.4 implies that with probability at least 1 — a \ X \ , we shall have 
P[x| Vg i ] > o. By union bound, both these events hold with probability at least 1 — e — a\X\. Henceforth, 
we shall assume that both these conditions hold for our choice of Vg . 

For our choice of Vg , if one of the first two cases of Lemma A.2 holds then we are done. Suppose this 
is not the case. Then, we have P[y | V^\x] > a and P[y' \ Vg ,x] > a. Therefore we can conclude that 
both pairs of inputs (x, y) and (x, y') are "likely" conditioned on Vg . More formally: 

P[x,y | v}p] > P[x | Vg i} ] • P[y \ V$,x] > a 2 and similarly P[x,y' \ V^ ] ] > a 2 

So, currently we are considering V$ such that P\x, 2/|Vg ] > cr 2 , P[x,y'\vjp] > a 2 ; and (1 — e)- 
Independence and e-Lightness guarantees hold. Therefore Lemma A.2 follows by the second part of 
Lemma A.8 because (V$ +1) | V$ , x) is independent of y and y' and is a function of V^ +1 \ 

A.5.2 Proof of Lemma A.3 

Similarly to the proof of Lemma A.2, we use another parameter < a < 1 and prove the following 
statement: With probability 1 — 0(e + cr\X\ ■ \y\ + me/a 2 ) over the samples at least one of the following 
is true: 

1. P[y' | V%\x]<<T,ot 

2. Q2 +1) n(Qg } ugf)cQ(F|)). 

Lemma A.3 follows by setting a 3 = e and e / = e + o"|A'|-|3 ; | + me /a 2 in the above mentioned statement. 
Recall that with probability at least 1 — e, the sampled Eve view Vg has the (1 — e) -Independence 

(i) 

and the e-Lightness properties. Henceforth, we shall restrict ourselves to such Vg . By Corollary A.4 we 
conclude that with probability at least 1 — cr\X\ it holds that P[x \ Vg ] > a. If P[y'\vjp, x] < a for this 
Eve view Vg , then we are done. So, assume on the contrary that P[y'\ Vg , x] > cr, which implies that: 

P[x,y' | V«] > P[x | V«] • P[y' | Vg,x] > a 2 

Since (x, y) -A X x y, we can apply Corollary A.4 directly to conclude that with probability at least 
1 — tT 2 |Af||^|, P[x,y | Vg^] > a 2 . By union bound, we can assume that all these properties hold with 
probability 1 — 0(er + cr|Af| - |3^|)- Henceforth, we shall assume that Vg satisfies these conditions. 

First, using P[x,y \ Vg^] > a 2 and by a direct application of Lemma A.8 we can conclude that with 
probability 1 - 0(me/<r 2 ), it holds that Q { } +1) n C Q{V^ ] ). Thus, it suffices to show that with 



44 



probability 1 - 0(me/a 2 ), it holds that n Q'^ C Q(V^), in which case Lemma A.3 would 

trivially follow by a union bound from these two results. 

(i) (i) 

Lets define V B and Q B similar to V B and Q B with the only difference that we sample them condi- 
tioned on the input y'. Then the same exact proof as for the case of likely input y, can be applied to the case 
of likely input y' and conclude that with probability 1 - 0(me/a 2 ), it holds that n Q$ C Q{V E %) ). 

We emphasize that the distributions V B and V'^ are not identical. Although, both are sampled based on 

U) 

Bob input being y and Eve view being V E , the latter is additionally conditioned on the next message fn + x 
of Alice. Here, we shall be leveraging Lemma A.7. 

(i) 

So, consider an Eve view V E with the following properties: 

1. (1 — e) -Independence and e-Lightness properties hold, and 

2. P[xrf\V®,x,if] >a 2 . 

Let (V^ , ) represent the joint Ahce-Bob views when Alice has input x and Bob has input y' . 
By Lemma A.8, we know that this distribution is 0{me/a 2 ) close to the distribution (V^ + \V E x) x 
(V| } |y®, y'). Let (V^ +1) , V'| } ) represent the joint Alice-Bob views when Alice has input x, Bob has 
input y' as picked in our experiment, i.e. Bob's view is additionally conditioned on the next message m+i. 
Considering /Xj+i as a leakage on V^ +1 \ we can conclude that (V§ ,Vg ) is also 0(me/cr 2 ) close 
to (V^IV^,^) x (V^lV^il/). b y Lemma A.7. Consequently, the distributions (vjj +1) , V^) and 
(V$ +1) , V ; §) are 0(me/a 2 ) close. 

Recall that the probability of the event n Q$ C Q(V^ l) ) when Alice-Bob views are sampled 

according to (V^j , ) is 1 — 0(me/a 2 ). So, the probability of the same event when Alice-Bob 

joint views are sampled according to (V^j 3 Vjj ) is also 1 — 0(me/a 2 ). This concludes the proof of 
Lemma A.3. 

A.5.3 Proof of Lemma A.8 

Finally we prove Lemma A.8. Recall that with respect to the Eve view V E . , (1 — e) -Independence and 
e-Lightness hold, when the protocol is run with uniformly chosen x 6 X and y G 3^- Consider the space 
of all Alice and Bob private views and random oracles such that V E is produced as the view of Eve. We 
know by Lemma A.l that the distribution of (V®, \V E ) is e close to a distribution (XJa x Ub) = 

(vSW) x (v«|v£>). 

Additionally, we are also given that P[x, y\ V E ] > 7. Now, consider the event E such that x and y are 

(i) (i) 

actually the local inputs in sampled Alice and Bob views V\ and V B . By Lemma A.5, we can conclude 
that (V^, Vjg |Vg , x, y) is e/7 close to the distribution ("IJ4 x Ub|x, y) = (U^|s) x (XJ B \y). Now, ob- 
serve that when Alice and Bob views are sampled according to (V^ , | V$ ,x,y), then they also satisfy 
e/7-Lightness property. Otherwise we can use the fact that P[x, y\V E . ] > 7 to show that (V^\ vjg |Vg ) 
does not satisfy the e-Lightness property. Now, since the distribution (Y^ ,Y^ B \V E \ x,y) has e-- 
Lightness property and is e/7 close to the product distribution (Ua|x) x (Ugly), this implies that the 
distribution (V^j , Y B \ V E \ x, y) satisfies (1 — e') -Independence and e'-Lightness properties, where e' = 
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e/7- Next, based on these properties, we shall first prove the first part of Lemma A.8 by showing that 

P[Q(vi i+1) )nQ(V®) % Q(V^)\V^\x,y] < O(me'). 

(i+l) (i) 

We define several hybrid experiments where the distribution of V\ and Vg is defined differently in 
each of them. We are interested in comparing the probability pi of the bad event B defined as Q(V^ +1 ^) n 
Q04°) £ QOfjp) in the game Game,. 

(i+l) (i) (i) 

Gameo: In this game the views V\ and Vg are jointly sampled consistent with Vg and local inputs 
x and y. 

Gamei: This game is indeed a perfect lazy simulation of Gameo: 

1. Sample (v£\ vjp) according to the distribution (V$ } , V$\V$,x, y). 

2. Start the next message generation algorithm for Alice. If any query q asked by Alice is already 
contained in Q(vl ) U Q(Vg , ) U Q(Vg ), then it is consistently answered. Otherwise, a uniformly 
random answer is provided. 

So, the probability p x of the bad event Q{V^ +1) ) n Q(Vg l) ) % Q(Vg l) ) in this game is still equal to p . 
G a m e2 : In this game 

1. Alice and Bob views are drawn according to (V^\V^\x) x (Vg^| Vg\ y). 

2. Start the next message generation algorithm for Alice with respecting the answers to Bob's private 
queries. Namely, if any query q asked by Alice is already contained in Q(Vj£ ) U Q(Vg ) U Q(Vg . ), 
then it is consistently answered. Otherwise, an uniformly random answer is provided. 

By (1 — e') -Independence we know that Gamei and Game2 are e' close, so p\ <p2 + e'- 

Now, we shall bound pi. Recall that e'-Lightness of (v| |v| , , y) implies that any query not already 
answered in V$ occurs with probability at most e' in a Bob view 

v ® 4. ( V g) | ) ) y y So> the probability 

of m new queries of Alice hitting any query of Bob view Vg -A (Vg |Vg , y) is at most me' , by union 
bound. So, p2 < me'. This implies that po = Pi < P2 + e' < (tj + l)e'. This completes the proof of the 
first part of Lemma A.8. 

Proving the Second part of Lemma A.8. In our previous hybrids, we showed that the joint distribution 
of views (V^ +1 \ Vg ) in Gameo an d Game2 are e' far. 

Consider the following Game3 as the next hybrid following Game2: In this game 

1. Alice and Bob views are drawn according to (V^| Vg , x) x (Vg^|Vg , y). 

2. Start the next message generation algorithm for Alice without respecting the answers to Bob's private 
queries. Namely, if any query q asked by Alice is already contained in Q{V^) U Q(Vg^), then it is 
consistently answered. Otherwise, an uniformly random answer is provided. 
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If the bad event Q(V% +1) ) n Q(V^) % Q(V^) does not occur, then the distribution of Alice-Bob 
joint views sampled in Game2 and Game3 are identical. Further, the distribution of Alice views in Game3 
is identical to (V^ , x). Note, that by the same argument at in Game3, the probability p3 of the bad 

event is at most me', because the argument was independent of how Alice queries were answered. So, the 
joint distribution of views (Vjj , ) in Game2 and Game3 are at most max{p2,J>3} < rne' far. 

Therefore, the statistical distance between (V^ +1) , vjJlV^, x, y) and \V$ , x) x (V^\V E ,y) 

is at most [m + l)e'. Thus, the second part of Lemma A.8 follows. 

B Some Examples for Intuition 

B.l Undecomposable Functions 

We give examples of some representative undecomposable functions in Figure 5, Figure 6 and Figure 7 

m 

Figure 5: A Complete (and Undecomposable) Function. 
:4j ;2; 

Figure 6: An Incomplete but Undecomposable Function (Minimum \X\ + |3^|). 
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Figure 7: An Incomplete but Undecomposable Function (Minimum \Z\). 
B.2 Decomposable Example 

Let us consider the example of computing maximum of Alice and Bob inputs, where Alice's input set is 
{1, 3, 5} and Bob's input set is {0, 2, 4}. This function is decomposable and its decomposition provides a 
perfectly semi4ionest secure protocol, see Figure 8. The semi4ionest protocol is as follows: 
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Protocol to compute maximum of Alice and Bob inputs: 

1. If Alice's input is 5, then she announces the outcome to be 5; Otherwise she asks Bob to 
proceed. 

2. If Bob's input is 4, then he announced the outcome to be 4; Otherwise he asks Alice to 
proceed. 

3. If Alice's input is 3, then she announces the outcome to be 3; Otherwise she asks Bob to 
proceed. 

4. Now, Alice's input is 1 for certain. If Bob's input is 2, then he announces the outcome to 
be 2; Otherwise the outcome is 1. 




C Black-box Separation Proof 

Proof of Theorem 7.2. It is immediate that (1) => (2) => (3). We shall show that (3) => (1). In fact, for 
clarity, first we shall show (2) => (1) before extending the argument to show (3) => (1). 

We rely on the following claim. 

Claim C.l. Let f be a a deterministic two-party function which does not have a perfectly semi-honest secure 
protocol. For any security -parameter preserving fully black-box construction (II, S) of SFEj from OWF, 
there exist Q £ -Fowf an d an oracle algorithm Adv such that (11*2, Adv*2) g RsFEf an d (Q, S®' MvQ ) 
-Rowf- 

Before proving this claim, we note that it indeed shows (2) (1), as follows. Suppose, for the sake of 
contradiction, (II, S) is a security -parameter preserving PPT-secure fully black-box construction of SFEj 
from OWF, for some deterministic two-party function / which does not have a perfectly semi-honest secure 
protocol. For (11,5), let Q € -Fowf and Adv be as guaranteed in Claim C.l. Let A stand for Adv*2. 
The claim guarantees that (11*2, A) G RsFE f - Consequently, by the security guarantee of fully black-box 
construction, we have (Q, S® ,A ) G Rowf- But this contradicts the guarantee from Claim C.l. 

Proof of Claim C.l. Let U K = {<?: {0, 1} K — > {0, 1} K } denote the set of all length preserving functions 
over {0, Let U = U x x U 2 x • • ■. 
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Note that since II is security-parameter preserving, II^ accesses only Q K . Implicit in the proof of 
Theorem 1.1 is an adversary Adv such that, for Q K -G*- U K the adversary Adv^ K breaks the security of n^ K 
(as an implementation of SFEj) with advantage 5(k) > 1/ poly(«;), by asking poly(ft) queries to Q K . This 
will be the adversary Adv in the statement of the claim. 

Next, we need to find a deterministic function Q such that Adv^ breaks IT^, but there does not exist any 
efficient reduction S such that 5 ( 3> AdvQ breaks Q as a OWF implementation. 

We show the existence of such a Q by the probabilistic method. For this, first we define V K C U K for 
each k G N as follows. As mentioned above, Adv^ K has an advantage of 5(k) > 1/ poly(K) in breaking 
I1 < 3 K , where Q K -A U K . Then, by an averaging argument, for a subset V K C U K with > 5(k), it holds 
that for all Q K G V K , Adv^ K has an advantage at least 5(n)/2 in the SFEj security game for U® K . Now, we 
pick Q K <— V K independently for each security parameter k. Q will be the composite oracle (Q±, Q2, ■ ■ ■)■ 

By construction, (11^, Adv^) G RsFEf with probability 1, since for all Q K G V K , Adv^ K has a significant 
advantage (as a function of k) in the security game. To complete the proof, we need to show that with positive 
probability Q is such that (Q, S Q ' MvQ ) R 0VJF . 

$ $ 

Consider again Q K <— U K (rather than Q K <— V K , which we shall return to shortly). For each k, for each 
choice of Q-^ = (Qi, ■ . . , Q K -i, Qk+i, • • • )> define the (inefficient) machine Tq_ such that Tq* simulates 
gQ,Adv Q . jr or internally simulates all of Q except Q K , which it accesses through oracle calls. Even 

though Tq_ is inefficient, since S is efficient, the number of oracle queries it makes is bounded by poly(n). 
W.l.o.g, we can assume that a machine T® K can invert an input y with respect to its oracle, only if one of 
its oracle queries is answered by y (by adding a final query, in which it queries the oracle at its output). 

$ 

But when Q K ^U K this happens with only negligible probability for a machine making polynomially many 
queries, because each distinct query is answered by a K-bit string chosen uniformly at random which has a 
probability of ^ of being equal to y. 

Thus, if Q K -A U K , then for each choice of Q-^, the probability that S®' AdvQ has a non-negligible advan- 
tage in breaking Q at k is v(k) for some negligible function v. Then if if Q K -A V K , this probability is at 
most ^(k)|^| which is also negligible (since K4 > 5{k)/2). 

Then, by a union bound over all k > kq for a sufficiently large value of kq, the probability that 5<9' AdvQ 
has a non-negligible advantage in breaking Q at some k > kq is J^k^ko u ( k ) < 1 ( anc ^ can m ^ act rje ma de 
arbitrarily close to 0, by choosing kq large enough). In particular, there exists Q such that 5 ,( 3' AdvQ does 
not have a non-negligible advantage in breaking O at infinitely many values of k. That is, (Q, g ( 3> AdvQ ) ^ 
-Rowf- □ 

Extending to OWF^. The above argument can be easily extended to show (3) =^ (1), to complete the 
proof. Fix a polynomial (. Then, in the above argument consider the set W K := {<?^(k, -)\g '■ {0, 1}* — > 
{0, 1} K } (i.e., set of functions that map x, \x\ < £(k) toy £ {0, 1} K ), instead ofU K . We remark that for the 
adversary from the proof of Theorem 1.1 it was not crucial that the random oracle has input domain {0, 1} K , 
or that the oracle is length-preserving, as long as the queries are answered independent of each other. The 
rest of the argument, including the fact that an inverter making polynomial queries to an oracle W K <— W K 
can have only a negligible success probability, remains unchanged. 
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